CVE-2026-48983

Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.2

Description A symlink race condition exists in the creation of per-device and per-user pad directories. The software employs a check-then-act pattern, where it calls lstat() to verify existence and subsequently calls mkdir() to create the directory. A local attacker can exploit the timing between these calls by replacing the target path with a symlink to a directory under their control. This may result in one-time pad files being written to an attacker-controlled location, which could expose future pad values or disrupt the authentication process.

Recommendations Update to version 0.9.2.