CVE-2026-47271

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.0

Description In src/mem.c, out-of-memory guards for the functions xmalloc(), xrealloc(), and xstrdup() were implemented using assert(data != NULL). Because assert() expressions are compiled out when NDEBUG is defined during build time—a common practice in release and packaging builds for Debian, Fedora, and Arch—these guards are removed in such versions. Consequently, these functions return NULL upon allocation failure, which is then dereferenced without a check, leading to a NULL pointer dereference and a crash of the PAM module. This creates a local denial-of-service condition where an attacker inducing memory pressure during authentication can lock all users out of sudo and login.

Recommendations Update to version 0.9.0.