Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-2100

Опубликовано: 06 фев. 2026
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Отчет

This MODERATE impact flaw in p11-kit allows a remote attacker to cause an application level denial of service or unpredictable system states. Exploitation occurs when the C_DeriveKey function is called on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This affects Red Hat Enterprise Linux 9.8 and 10.2, Fedora 42 and 43, and Red Hat In-Vehicle OS 2.0. Other Red Hat products, including OpenShift Container Platform and various RHEL versions, are not affected as the vulnerable code is not present.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 10p11-kitAffected
Red Hat Enterprise Linux 6p11-kitNot affected
Red Hat Enterprise Linux 7p11-kitNot affected
Red Hat Enterprise Linux 8p11-kitNot affected
Red Hat Enterprise Linux 9p11-kitAffected
Red Hat OpenShift Container Platform 4rhcosNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-824
https://bugzilla.redhat.com/show_bug.cgi?id=2437308p11-kit: p11-kit: NULL dereference via C_DeriveKey with specific NULL parameters

EPSS

Процентиль: 27%
0.00095
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-2100

ubuntu
около 2 месяцев назад

[NULL dereference via C_DeriveKey with specific NULL parameters]

debian логотип

CVE-2026-2100

debian

[NULL dereference via C_DeriveKey with specific NULL parameters]

github логотип

GHSA-hq85-3f6c-jx84

CVSS3: 5.3
github
4 дня назад

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

EPSS

Процентиль: 27%
0.00095
Низкий

5.3 Medium

CVSS3