Medium severity5.3NVD Advisory· Published Mar 26, 2026· Updated Apr 25, 2026

CVE-2026-2100

Description

A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Affected products

P11 Kit Project/P11 Kit
cpe:2.3:a:p11-kit_project:p11-kit:-:*:*:*:*:*:*:*
Red Hat/Hardened Images
cpe:2.3:a:redhat:hardened_images:-:*:*:*:*:*:*:*
Red Hat/Enterprise Linux2 versions
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/p11-glue/p11-kit/pull/740nvdIssue TrackingPatch
access.redhat.com/security/cve/CVE-2026-2100nvdVendor Advisory
bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor Advisory
access.redhat.com/errata/RHSA-2026:7065nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000