PT-2026-44090 · Pam Usb · Pam Usb
Mcdope
·
Published
2026-05-27
·
Updated
2026-05-27
·
CVE-2026-48066
CVSS v3.1
5.7
Medium
| Vector | AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
pam usb versions prior to 0.9.1
Description
In
src/log.c, a process-wide static pointer is written with the address of a stack-local variable during every PAM invocation. This behavior violates the PAM re-entrancy requirement—the ability of a function to be interrupted and safely called again before its previous invocation has finished—resulting in a data race when the PAM stack is invoked concurrently from multiple threads.Recommendations
Update to version 0.9.1.
Fix
Race Condition
NULL Pointer Dereference
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pam Usb