{"api_version":"1","generated_at":"2026-06-18T21:04:42+00:00","cve":"CVE-2026-48984","urls":{"html":"https://cve.report/CVE-2026-48984","api":"https://cve.report/api/cve/CVE-2026-48984.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48984","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48984"},"summary":{"title":"pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linger in freed heap","description":"pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-18 18:16:19","updated_at":"2026-06-18 20:16:14"},"problem_types":["CWE-14","CWE-226","CWE-14 CWE-14: Compiler Removal of Code to Clear Buffers","CWE-226 CWE-226: Sensitive Information in Resource Not Removed Before Reuse"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/mcdope/pam_usb/releases/tag/0.9.2","name":"https://github.com/mcdope/pam_usb/releases/tag/0.9.2","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/mcdope/pam_usb/security/advisories/GHSA-rmp6-wfrq-wrrc","name":"https://github.com/mcdope/pam_usb/security/advisories/GHSA-rmp6-wfrq-wrrc","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48984","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48984","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"mcdope","product":"pam_usb","version":"affected < 0.9.2","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-48984","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-18T18:47:42.610995Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-18T18:48:13.213Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"pam_usb","vendor":"mcdope","versions":[{"status":"affected","version":"< 0.9.2"}]}],"descriptions":[{"lang":"en","value":"pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper)."}],"metrics":[{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":4.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-14","description":"CWE-14: Compiler Removal of Code to Clear Buffers","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-226","description":"CWE-226: Sensitive Information in Resource Not Removed Before Reuse","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-18T17:06:00.918Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/mcdope/pam_usb/security/advisories/GHSA-rmp6-wfrq-wrrc","tags":["x_refsource_CONFIRM"],"url":"https://github.com/mcdope/pam_usb/security/advisories/GHSA-rmp6-wfrq-wrrc"},{"name":"https://github.com/mcdope/pam_usb/releases/tag/0.9.2","tags":["x_refsource_MISC"],"url":"https://github.com/mcdope/pam_usb/releases/tag/0.9.2"}],"source":{"advisory":"GHSA-rmp6-wfrq-wrrc","discovery":"UNKNOWN"},"title":"pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linger in freed heap"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-48984","datePublished":"2026-06-18T17:06:00.918Z","dateReserved":"2026-05-26T23:26:07.975Z","dateUpdated":"2026-06-18T18:48:13.213Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-18 18:16:19","lastModifiedDate":"2026-06-18 20:16:14","problem_types":["CWE-14","CWE-226","CWE-14 CWE-14: Compiler Removal of Code to Clear Buffers","CWE-226 CWE-226: Sensitive Information in Resource Not Removed Before Reuse"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":4.7,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1,"impactScore":3.6}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-06-18T18:47:42.610995Z","id":"CVE-2026-48984","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48984","Ordinal":"1","Title":"pam_usb: xfree() does not call explicit_bzero — sensitive crypto","CVE":"CVE-2026-48984","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48984","Ordinal":"1","NoteData":"pam_usb provides hardware authentication for Linux using ordinary removable media. In versions 0.9.1 and below, the xfree() memory release helper in calls free() without first zeroing the buffer contents, releasing heap-allocated buffers containing sensitive data — including one-time pad bytes read from disk — without clearing, leaving the sensitive content in freed heap memory until it happens to be overwritten by a subsequent allocation. On a system where a use-after-free condition exists, or where a heap inspection primitive becomes available, this could allow recovery of pad values or other authentication material from freed memory regions. This is a defence-in-depth requirement consistent with prior hardening work in this codebase (GHSA-vx6f-rrqr-j87c applied explicit_bzero to some pad paths; this issue generalises the pattern to the central deallocation helper).","Type":"Description","Title":"pam_usb: xfree() does not call explicit_bzero — sensitive crypto"}]}}}