CVE Catalog

CVE-2026-2100

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.16%

63th percentile - higher than 63% of all known CVEs

Summary

A flaw was found in p11-kit where a remote attacker could exploit the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially causing a NULL dereference or undefined behavior.

Risk Assessment

This vulnerability may result in application-level denial of service or other unpredictable system states, threatening the stability and availability of services using p11-kit.

Recommendation

Update p11-kit to the latest patched version immediately. Until the update is applied, restrict access to remote tokens and monitor for unusual application behavior.

Original NVD description (English source)

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS