CVE-2026-48985
MediumCVSS 5.5Summary
In versions 0.9.1 and below, the pam_usb module can cause a NULL dereference crash when parsing loginctl output. The pusb_is_loginctl_local() function calls popen() and reads the result, which can lead to undefined behavior and crashing the PAM module.
Risk Assessment
Crashes of the PAM module can lead to denial of access to authentication services like sudo or login, affecting all users of the affected service.
Recommendation
It is recommended to upgrade to version 0.9.2 or later to mitigate this vulnerability.
Original NVD description (English source)
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, pusb_is_loginctl_local() can cause a NULL dereference crash when parsing loginctl output. The function calls popen() and reads the result; if the Remote field is only a newline, fgets() succeeds but strtok_r(buf, "\n", &saveptr) returns NULL. A subsequent strcmp(is_remote, "no") then dereferences NULL, causing undefined behavior (typically SIGSEGV) and crashing the PAM module. This can crash the authenticating process (e.g., sudo, login) and, depending on PAM stack configuration, deny access for all users of the affected service. This issue has been fixed in version 0.9.2.

