CVE-2026-44710

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.8.7

Description In src/device.c, the return values of the functions udisks drive get serial(), udisks drive get vendor(), and udisks drive get model() are passed directly to strcmp() without NULL checks. According to GIO/UDisks API documentation, these accessors can return NULL for devices that do not expose the corresponding field. Passing a NULL pointer to strcmp() results in undefined behavior, typically leading to a SIGSEGV (segmentation fault), which causes a PAM crash and a login denial-of-service.

Recommendations Update to version 0.8.7.