CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 Published on March 26, 2026

P11-kit: null dereference via c_derivekey with specific null parameters
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentially resulting in a NULL dereference or undefined behavior. This issue may cause an application level denial of service or other unpredictable system states.

Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-2100 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a small impact on availability.

Attack Vector:

NETWORK

Attack Complexity:

LOW

Privileges Required:

NONE

User Interaction:

NONE

Scope:

UNCHANGED

Confidentiality Impact:

NONE

Integrity Impact:

NONE

Availability Impact:

LOW

Timeline

2026-02-06

Reported to Red Hat.

2026-02-06

Made public.

Weakness Type

Access of Uninitialized Pointer

The program accesses or uses a pointer that has not been initialized.

Products Associated with CVE-2026-2100

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Enterprise Linux (RHEL)

Red Hat Openshift

Red Hat Hummingbird

Red Hat Rhui

Red Hat Insights Proxy

Red Hat Cost Management

Affected Versions

Red Hat Enterprise Linux 10:

Version 0:0.26.2-1.el10 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:0.26.2-1.el9 and below * is unaffected.

Red Hat Enterprise Linux 9:

Version 0:0.26.2-1.el9 and below * is unaffected.

Red Hat Cost Management 4:

Version 1780946239 and below * is unaffected.

Red Hat Hardened Images:

Version 0.26.2-1.1.hum1 and below * is unaffected.

Red Hat Insights proxy 1.5:

Version 1780420428 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version 1779798159 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version 1779798164 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version 1779798165 and below * is unaffected.

Red Hat Update Infrastructure 5:

Version 1779798222 and below * is unaffected.

Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat OpenShift Container Platform 4:

Exploit Probability

EPSS

1.02%

Percentile

58.87%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DSCVE-2026-2100 Published on March 26, 2026

Vulnerability Analysis

Timeline

Weakness Type

Access of Uninitialized Pointer

Products Associated with CVE-2026-2100

Affected Versions

Exploit Probability

CVE-2026-2100: Uninitialized Return in p11-kit C_DeriveKey DS
CVE-2026-2100 Published on March 26, 2026