CVE-2026-2100

EUVD-2026-16336

26.03.2026, 21:17

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
redhat	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Debian Releases

Debian Product

Codename

p11-kit

bookworm	0.24.1-2 fixed
bullseye	0.23.22-1 fixed
forky	0.26.2-2 fixed
sid	0.26.2-2 fixed
trixie	0.25.5-3 fixed

Common Weakness Enumeration

CWE-824 - Access of Uninitialized Pointer
The program accesses or uses a pointer that has not been initialized.

References

https://access.redhat.com/security/cve/CVE-2026-2100

https://bugzilla.redhat.com/show_bug.cgi?id=2437308

https://github.com/p11-glue/p11-kit/pull/740