7.5

CVE-2026-2100

P11-kit: null dereference via c_derivekey with specific null parameters

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
P11-kit ProjectP11-kit Version-
RedhatHardened Images Version-
RedhatEnterprise Linux Version9.0
RedhatEnterprise Linux Version10.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.16% 0.633
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
secalert@redhat.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-824 Access of Uninitialized Pointer

The product accesses or uses a pointer that has not been initialized.

https://bugzilla.redhat.com/show_bug.cgi?id=2437308
Vendor Advisory
Issue Tracking
https://github.com/p11-glue/p11-kit/pull/740
Patch
Issue Tracking
https://access.redhat.com/errata/RHSA-2026:21275
https://access.redhat.com/errata/RHSA-2026:22634
https://access.redhat.com/errata/RHSA-2026:18143
https://access.redhat.com/errata/RHSA-2026:18599
https://access.redhat.com/errata/RHSA-2026:27998
https://access.redhat.com/errata/RHSA-2026:7065
https://access.redhat.com/security/cve/CVE-2026-2100
Vendor Advisory
https://github.com/p11-glue/p11-kit/releases/tag/0.26.2