CVE-2026-48982

CVE-2026-48982 is a medium-severity vulnerability with a CVSS 3.x base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-362.

Key facts

Description

pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, when updating a one-time pad file, a temporary file is created using open() without the O_EXCL flag. Without O_EXCL, the create operation is not atomic: two concurrent processes racing to update the same pad may both succeed in opening the file, with the second write silently overwriting the first. The one-time pad is the core replay-prevention mechanism of pam_usb. A successful race could result in the stored pad value diverging from what either process expected, potentially causing authentication failures or, in a precisely timed attack, creating a window for pad reuse. This issue has been fixed in version 0.9.2.

Frequently asked questions

What is CVE-2026-48982?
pam_usb provides hardware authentication for Linux using ordinary removable media. In versions prior to 0.9.2, when updating a one-time pad file, a temporary file is created using open() without the O_EXCL flag. Without O_EXCL, the create operation is not atomic: two concurrent processes racing to update the same pad may both succeed in opening the file, with the second write silently overwriting the first. The one-time pad is the core replay-prevention mechanism of pam_usb. A successful race could result in the stored pad value diverging from what either process expected, potentially causing authentication failures or, in a precisely timed attack, creating a window for pad reuse. This issue has been fixed in version 0.9.2.
How severe is CVE-2026-48982?
CVE-2026-48982 has a CVSS 3.x base score of 5.8, rated medium severity. It is exploitable over local access with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability low.
Is CVE-2026-48982 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (1st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-48982?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-48982 have an EU (EUVD) identifier?
Yes. CVE-2026-48982 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37935.
When was CVE-2026-48982 published?
CVE-2026-48982 was published on 2026-06-18 and last updated on 2026-06-22.

References

Other CWE-362 (Race Condition) vulnerabilities

Browse all CWE-362 (Race Condition) vulnerabilities →