How is CVE-2026-48064 exploited?

Network reachability (required): The attacker must reach the target service over the network; the vulnerability is exposed through XDMCP or similar remote daemon connections that set PAM_RHOST. Authentication (not-required): No credentials or account are required before triggering the bypass; the flaw occurs in the pre-authentication gate that decides whether a remote session is even allowed to proceed. Victim interaction (not-required): No action by a logged-in user or administrator is needed; the attacker sends a remote connection and the bypass occurs automatically. Attack complexity (info): Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions, such as a PAM service configured with deny_remote=false and an accessible XDMCP endpoint, rather than exploiting a universally reachable path.

What is the impact of CVE-2026-48064?

A successful attacker gains unauthorized access to the target system's authentication context, allowing them to read sensitive files, stored credentials, and session tokens accessible to the authenticated user. The attacker can modify persisted files, configuration, and data on the system with the privileges of the account they authenticate as. The attacker can crash or disrupt the affected service or system processes, causing a denial of service for legitimate users. Because the bypass sidesteps the hardware USB token requirement, any system relying on pam_usb as a second factor loses that control entirely for affected service configurations.

Back to search

HIGHCVE-2026-48064Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-48064: pam_usb: PAM_RHOST check skipped when deny_remote=false allows XDMCP authentication bypass

pam_usb provides hardware authentication for Linux using ordinary removable media. Prior to 0.9.1, when a PAM service is configured with deny_remote=false in pam_usb (commonly done for display managers such as gdm-password or lightdm to bypass process/TTY heuristics for local sessions), the PAM_RHOST check in pusb_do_auth() is also skipped. PAM_RHOST is set by remote daemons (sshd, XDMCP servers) to identify the remote client address. Because the check is gated inside if (opts.deny_remote), a genuine remote XDMCP connection reaches the USB device authentication step instead of being rejected. This vulnerability is fixed in 0.9.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication bypass vulnerability in pam_usb (the PAM hardware-authentication module for Linux) allows a remote attacker to reach the USB device authentication step over the network without being blocked by the remote-host denial logic. When a PAM service is configured with deny_remote=false, the PAM_RHOST check that should reject connections from remote daemons such as XDMCP servers is also disabled, letting a genuine remote XDMCP session proceed directly to USB device verification instead of being turned away. Successful exploitation gives the attacker full read, write, and availability impact on the affected system. No fix versions have been published yet; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48064 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle pam_usb. Coverage applies to any image layer containing affected versions of the mcdope/pam_usb package below 0.9.1.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency and escalation path. Per-organization routing rules can direct the alert to the appropriate team inbox, whether that is a platform team, an identity and access management owner, or a broader security queue.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a remediated release appears. In the meantime, customers with auto-remediation enabled will receive a notification and can apply compensating controls through policy enforcement in their pipeline configuration.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the target service over the network; the vulnerability is exposed through XDMCP or similar remote daemon connections that set PAM_RHOST.
AuthenticationNot required
No credentials or account are required before triggering the bypass; the flaw occurs in the pre-authentication gate that decides whether a remote session is even allowed to proceed.
Victim interactionNot required
No action by a logged-in user or administrator is needed; the attacker sends a remote connection and the bypass occurs automatically.
Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions, such as a PAM service configured with deny_remote=false and an accessible XDMCP endpoint, rather than exploiting a universally reachable path.

Blast Radius

A successful attacker gains unauthorized access to the target system's authentication context, allowing them to read sensitive files, stored credentials, and session tokens accessible to the authenticated user.
The attacker can modify persisted files, configuration, and data on the system with the privileges of the account they authenticate as.
The attacker can crash or disrupt the affected service or system processes, causing a denial of service for legitimate users.
Because the bypass sidesteps the hardware USB token requirement, any system relying on pam_usb as a second factor loses that control entirely for affected service configurations.

How HarborGuard Handles This

Available on HarborGuard: any image containing pam_usb versions below 0.9.1 is flagged at HIGH severity (CVSS 8.1) and surfaced in the affected environment's finding queue. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once version 0.9.1 or a later remediated release is published; for customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth evaluating include restricting XDMCP port access via network policy to prevent remote daemon connections from reaching the PAM stack, auditing all PAM service configurations that set deny_remote=false to determine whether that setting is strictly necessary, and isolating display-manager workloads from externally reachable network segments using egress and ingress filtering.

See how HarborGuard automates this

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

mcdope / pam_usb
< 0.9.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References