p11-kit NULL Dereference Vulnerability in C_DeriveKey Function

A vulnerability in p11-kit allows remote attackers to cause a NULL dereference or undefined behavior by calling the C_DeriveKey function on a remote token. This exploitation involves setting specific IBM kyber or IBM btc derive mechanism parameters to NULL, which can lead to the RPC-client returning an uninitialized value. The issue is present in p11-kit versions prior to 0.26.1 and may result in an application-level denial of service or other unpredictable system states.

Impact

Exploitation of this vulnerability can cause a NULL dereference, leading to a crash or restart of the application. Additionally, if the uninitialized pointer is used in a read operation, there is a potential risk of reading sensitive portions of memory. According to Red Hat, this vulnerability allows for a denial-of-service condition or unpredictable system states.

Reproduction

The vulnerability can be reproduced by calling the C_DeriveKey function on a remote token with the IBM kyber or IBM btc derive mechanism parameters set to NULL. This can be done using a compatible RPC client that interacts with the p11-kit library.