CVE-2026-48792

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.1

Description In the src/evdev.c file, the pusb has virtual input device() function silently ignores EACCES errors when opening /dev/input/event* nodes. This behavior causes the function to return 0, indicating no virtual devices were found, even if all open() calls failed due to insufficient permissions. Consequently, the caller in src/local.c cannot differentiate between a genuine absence of virtual devices and a scan blocked by permission denials, leading the system to continue authentication without denying access. This effectively disables remote desktop detection during non-root execution.

Recommendations Update to version 0.9.1.