CVE-2026-2100
Published: 26 March 2026
Summary
CVE-2026-2100 is a medium-severity Access of Uninitialized Pointer (CWE-824) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the p11-kit flaw by requiring timely application of the available patch via Red Hat advisory RHSA-2026:7065 or GitHub PR #740.
Ensures the RPC client in p11-kit properly handles errors from uninitialized values during C_DeriveKey calls with NULL parameters, preventing NULL dereferences and DoS.
Validates input parameters to PKCS#11 functions like C_DeriveKey on remote tokens to reject NULL values for IBM Kyber or BTC mechanisms, blocking the exploit path.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Null dereference in remote RPC path of C_DeriveKey directly enables application/system crash via network exploitation, matching T1499.004.
NVD Description
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the…
more
RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.
Deeper analysisAI
CVE-2026-2100 is a vulnerability in p11-kit, a library that facilitates the use of PKCS#11 modules, including support for remote tokens via RPC. The flaw occurs when the C_DeriveKey function is called on a remote token using specific IBM Kyber or IBM BTC derive mechanism parameters set to NULL. This causes the RPC client to attempt returning an uninitialized value, potentially leading to a NULL dereference (CWE-824) or undefined behavior. The issue has a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily affecting availability.
A remote attacker without privileges can exploit this vulnerability over the network with low complexity and no user interaction required. By invoking the vulnerable C_DeriveKey function with the specified NULL parameters on a remote token, the attacker triggers the RPC client's mishandling of uninitialized data, resulting in application-level denial of service or other unpredictable system states.
Red Hat Security Advisory RHSA-2026:7065 addresses this issue, along with details on the CVE page and Bugzilla entry 2437308. A fix is available via pull request #740 in the p11-kit GitHub repository, which security practitioners should apply to mitigate the vulnerability.
Details
- CWE(s)