CVE-2026-48981— pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48981
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
pam_usb: xmlReadFile flags=0 permits XXE network entity fetching in conf.c
Source: NVD (National Vulnerability Database)
Vulnerability Description
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, pam_usb calls xmlReadFile() with flags=0 when loading the configuration file, allowing libxml2 to process external entity references (XXE), potentially making outbound network connections or local file reads at XML parse time from the context of the authenticating process. The vulnerability requires the configuration file to contain crafted XML entity references. Since pam_usb.conf is root-owned, direct exploitation requires prior write access to the config, but the defence-in-depth impact is significant given that pam_usb.so runs in setuid contexts (sudo, su). This issue has been fixed in version 0.9.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
XML外部实体引用的不恰当限制(XXE)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48981
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48981
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-48981 (1)
Vendor Advisories for CVE-2026-48981 (1)
Same Patch Batch · mcdope · 2026-06-18 · 7 CVEs total
| CVE-2026-48980 | 6.3 MEDIUM | pam_usb: getenv() used in PAM context allows environment variable injection into local-che |
| CVE-2026-48982 | 5.8 MEDIUM | pam_usb: Missing O_EXCL on pad temp file creation allows concurrent update race |
| CVE-2026-48983 | 5.8 MEDIUM | pam_usb: TOCTOU race condition in pad directory creation allows symlink substitution |
| CVE-2026-48985 | 5.5 MEDIUM | pam_usb: NULL Dereference Crash in pusb_is_loginctl_local when loginctl Returns Empty Remo |
| CVE-2026-48984 | 4.7 MEDIUM | pam_usb: xfree() does not call explicit_bzero — sensitive cryptographic material may linge |
| CVE-2026-48986 | 4.7 MEDIUM | pam_usb: Infinite loop DoS in process-tree walk when parent process exits during authentic |
IV. Related Vulnerabilities
Same product: pam_usb
- CVE-2026-48980
pam_usb: getenv() used in PAM context allows environment var - CVE-2026-48983
pam_usb: TOCTOU race condition in pad directory creation all - CVE-2026-48982
pam_usb: Missing O_EXCL on pad temp file creation allows con - CVE-2026-48985
pam_usb: NULL Dereference Crash in pusb_is_loginctl_local wh - CVE-2026-48986
pam_usb: Infinite loop DoS in process-tree walk when parent
Same vendor: mcdope
- CVE-2026-48980
pam_usb: getenv() used in PAM context allows environment var - CVE-2026-48983
pam_usb: TOCTOU race condition in pad directory creation all - CVE-2026-48982
pam_usb: Missing O_EXCL on pad temp file creation allows con - CVE-2026-48985
pam_usb: NULL Dereference Crash in pusb_is_loginctl_local wh - CVE-2026-48986
pam_usb: Infinite loop DoS in process-tree walk when parent
Same weakness: CWE-611
- CVE-2026-49875
Apache CXF: XML External Entity (XXE) Injection in W3CMultiS - CVE-2026-40998
Jaxp13 XPath XXE via StreamSource and SAXSource - CVE-2026-40991
XML External Entity (XXE) injection when documenting untrust - CVE-2026-47960
ColdFusion | Improper Restriction of XML External Entity Ref - CVE-2026-8045
Schneider Electric Data Center Expert 代码问题漏洞
V. Comments for CVE-2026-48981
No comments yet