CVE-2026-2100Access of Uninitialized Pointer in P11-kit

CWE-824Access of Uninitialized Pointer9 documents7 sources
Severity
7.5HIGHNVD
OSV5.3
EPSS
0.1%
top 83.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
P11-kit Project P11-kitDebian P11-kitRedhat Enterprise Linux
Timeline
PublishedMar 26

Description

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

debiandebian/p11-kit< p11-kit 0.26.2-2 (forky)
Debianp11-kit_project/p11-kit< 0.26.2-2

Also affects: Enterprise Linux 10.0, 9.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
CVE-2026-2100: A flaw was found in p11-kit2026-03-26
GHSA
GHSA-hq85-3f6c-jx84: A flaw was found in p11-kit2026-03-26
OSV
CVE-2026-2100: [NULL dereference via C_DeriveKey with specific NULL parameters]2026-02-09

📋Vendor Advisories

2
Red Hat
p11-kit: p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters2026-02-06
Debian
CVE-2026-2100: p11-kit - A flaw was found in p11-kit. A remote attacker could exploit this vulnerability ...2026

🕵️Threat Intelligence

2
Wiz
CVE-2026-2100 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2020-37140 Impact, Exploitability, and Mitigation Steps | Wiz

💬Community

1
Bugzilla
CVE-2026-2100 p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters2026-02-06
CVE-2026-2100 — Access of Uninitialized Pointer | cvebase