Skip to main content

p11-kit CVE-2026-2100

| EUVDEUVD-2026-16336 HIGH
Access of Uninitialized Pointer (CWE-824)
2026-03-26 redhat GHSA-hq85-3f6c-jx84
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
3.7 LOW

Network-reachable via RPC but requires victim to use attacker-controlled remote token and niche IBM Kyber/BTC mechanism (AC:H), no auth on the RPC client side (PR:N), only process-level crash (A:L, C/I:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

10
Analysis Updated
Jun 22, 2026 - 20:29 vuln.today
v2 (cvss_changed)
Source Code Evidence Fetched
Jun 22, 2026 - 20:29 vuln.today
Analysis Updated
Jun 22, 2026 - 20:29 vuln.today
v1 (cvss_changed)
Re-analysis Queued
Jun 22, 2026 - 20:24 vuln.today
cvss_changed
Severity Changed
Jun 22, 2026 - 20:24 NVD
MEDIUM HIGH
CVSS changed
Jun 22, 2026 - 20:24 NVD
5.3 (MEDIUM) 7.5 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16336
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:01 nvd
MEDIUM 5.3

DescriptionNVD

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

AnalysisAI

Denial of service in p11-kit's PKCS#11 RPC client allows a malicious remote token to trigger a NULL pointer dereference or undefined behavior in applications consuming derive-key operations. The flaw is reachable when an application calls C_DeriveKey against a remote token using IBM Kyber or IBM BTC derive mechanisms whose parameters are NULL, with the RPC client returning an uninitialized value. EPSS is low (0.10%) and no public exploit identified at time of analysis; SSVC marks exploitation as none but automatable.

Technical ContextAI

p11-kit is the GNU/freedesktop PKCS#11 module loader and RPC proxy used by NSS, GnuTLS, OpenSSL engines and the gnome-keyring on most Linux distributions; it brokers cryptographic calls between client applications and PKCS#11 modules across an RPC channel. The vulnerable code paths are p11_rpc_buffer_get_ibm_kyber_mech_param_update and p11_rpc_buffer_get_ibm_btc_derive_mech_param_update in p11-kit/rpc-message.c, which deserialize IBM Kyber post-quantum and IBM BTC (Bitcoin/blockchain) derive mechanism parameters. The root cause is CWE-824 (access of uninitialized pointer): the routines used inverted has_data logic, allowing the data buffer to remain uninitialized while still being dereferenced or copied via memcpy into the caller's pCipher/pChainCode fields. The upstream fix in PR #740 inverts the has_data branch and adds an assert (data != NULL) guard before use.

RemediationAI

Apply the distribution-provided p11-kit update from vendor advisories - on Red Hat Enterprise Linux and OpenShift install the relevant errata (RHSA-2026:7065, RHSA-2026:18143, RHSA-2026:18599, RHSA-2026:21275, RHSA-2026:22634, RHSA-2026:27998) listed at https://access.redhat.com/security/cve/CVE-2026-2100, and pull Ubuntu/Debian package updates via standard channels. Upstream fix is available (PR/commit) at https://github.com/p11-glue/p11-kit/pull/740; a released patched upstream tag is not independently confirmed in the available data. If patching must be deferred, restrict p11-kit RPC clients to trusted local PKCS#11 modules only - do not configure proxy modules pointing at remote/untrusted tokens, avoid the IBM Kyber and IBM BTC derive mechanisms in workflows that talk to untrusted tokens, and segregate any p11-kit-server endpoints behind authenticated transport; the trade-off is loss of remote HSM/token federation and post-quantum/BTC key-derivation capability against those tokens until patches are deployed.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5674 HIGH
8.8 Jul 16

Sandbox escape in PipeWire's PulseAudio compatibility layer lets a low-privileged process inside a confined environment

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

Vendor StatusVendor

Ubuntu

Priority: Medium
p11-kit
Release Status Version
bionic not-affected code not present
focal not-affected code not present
jammy not-affected code not present
noble not-affected code not present
questing not-affected code not present
trusty not-affected code not present
upstream released 0.26.2-1
xenial not-affected code not present

Debian

p11-kit
Release Status Fixed Version Urgency
bullseye not-affected - -
bookworm not-affected - -
trixie not-affected - -
forky, sid fixed 0.26.2-2 -
experimental fixed 0.26.2-1 -
(unstable) fixed 0.26.2-2 -

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed
SLES15-SP5-CHOST-BYOS-SAP-CCloud Fixed
SLES15-SP6-CHOST-BYOS Fixed
SLES15-SP6-CHOST-BYOS-Aliyun Fixed
SLES15-SP6-CHOST-BYOS-Azure Fixed

Share

CVE-2026-2100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy