CVE-2026-47271: CWE-476: NULL Pointer Dereference in mcdope pam_usb
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
AI Analysis
Technical Summary
The pam_usb module for Linux hardware authentication had out-of-memory guards implemented with assert() calls that are removed in release builds due to the NDEBUG macro. This causes allocation functions xmalloc(), xrealloc(), and xstrdup() to return NULL on failure without aborting. The codebase does not check for NULL returns and dereferences them directly, causing a NULL pointer dereference and crash. This crash in the PAM module disrupts authentication processes such as sudo and login, creating a local denial-of-service. The vulnerability affects versions prior to 0.9.0 and is resolved in 0.9.0.
Potential Impact
The vulnerability causes a local denial-of-service by crashing the pam_usb PAM module during authentication attempts. This prevents users from successfully authenticating via sudo or login while the module is crashing. There is no impact on confidentiality or integrity, only availability is affected. Exploitation requires local access and the ability to induce memory pressure at authentication time. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in pam_usb version 0.9.0. Upgrading to version 0.9.0 or later remediates this vulnerability. Until upgrading, users should be aware that inducing memory pressure during authentication can cause denial-of-service. Patch status is not explicitly confirmed beyond the fix in 0.9.0; check the vendor advisory for current remediation guidance.
CVE-2026-47271: CWE-476: NULL Pointer Dereference in mcdope pam_usb
Description
pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.0, src/mem.c implemented out-of-memory guards for xmalloc(), xrealloc(), and xstrdup() using assert(data != NULL). The C standard specifies that all assert() expressions are compiled out when NDEBUG is defined at build time. NDEBUG is commonly defined in release and packaging builds (Debian, Fedora, Arch package flags all define it via -DNDEBUG in CFLAGS). With the guard removed, xmalloc/xrealloc/xstrdup silently return NULL on allocation failure. Every caller in the codebase dereferences the return value without a NULL check -- this is the intended design, as the guard was supposed to abort before the dereference. With the guard gone, any allocation failure causes a NULL pointer dereference, crashing the PAM module. A crash in a PAM module loaded by sudo or login causes authentication to fail for the duration of the crash, creating a local denial-of-service condition. An attacker who can induce memory pressure at authentication time can lock all users out of sudo and login. This vulnerability is fixed in 0.9.0.
CVSS v3.1
Score 5.1medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The pam_usb module for Linux hardware authentication had out-of-memory guards implemented with assert() calls that are removed in release builds due to the NDEBUG macro. This causes allocation functions xmalloc(), xrealloc(), and xstrdup() to return NULL on failure without aborting. The codebase does not check for NULL returns and dereferences them directly, causing a NULL pointer dereference and crash. This crash in the PAM module disrupts authentication processes such as sudo and login, creating a local denial-of-service. The vulnerability affects versions prior to 0.9.0 and is resolved in 0.9.0.
Potential Impact
The vulnerability causes a local denial-of-service by crashing the pam_usb PAM module during authentication attempts. This prevents users from successfully authenticating via sudo or login while the module is crashing. There is no impact on confidentiality or integrity, only availability is affected. Exploitation requires local access and the ability to induce memory pressure at authentication time. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in pam_usb version 0.9.0. Upgrading to version 0.9.0 or later remediates this vulnerability. Until upgrading, users should be aware that inducing memory pressure during authentication can cause denial-of-service. Patch status is not explicitly confirmed beyond the fix in 0.9.0; check the vendor advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T23:03:37.229Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a17519de29bf47b50e771a1
Added to database: 5/27/2026, 8:18:37 PM
Last enriched: 5/27/2026, 8:35:10 PM
Last updated: 5/29/2026, 5:59:33 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.