Skip to content

Commit b46f88d

Browse files
swibi-ttdclaude
andcommitted
UID2-7376: suppress CVE-2026-2100 (p11-kit) - not exploitable
CVE-2026-2100 is a NULL pointer dereference in p11-kit (Alpine base image) triggered via C_DeriveKey. Our services are pure Java: the JVM uses JSSE for TLS and the Java cacerts keystore for trust, and never loads the native p11-kit PKCS#11 module loader or calls C_DeriveKey, so the vulnerable code path is not reachable. Following the established treatment for non-exploitable native base-image CVEs (cf. CVE-2026-45447 libcrypto3), this is suppressed in .trivyignore with a 'not reachable from the JVM' rationale and an expiry, rather than upgraded. A fix exists in Alpine v3.23 (>= 0.26.2-r0) but the pinned eclipse-temurin base image has not yet been rebuilt with it; the expiry resurfaces this for review once that lands. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent d2be4c8 commit b46f88d

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

.trivyignore

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,11 @@ CVE-2026-45447 exp:2026-07-11
4444
# See: UID2-7364
4545
CVE-2026-54512 exp:2026-07-25
4646
CVE-2026-54513 exp:2026-07-25
47+
48+
# CVE-2026-2100 — p11-kit NULL dereference via C_DeriveKey in the Alpine base image.
49+
# uid2-operator is a pure Java service; the JVM uses JSSE for TLS and the bundled Java cacerts keystore for trust — it does
50+
# not load the native p11-kit PKCS#11 module loader and never calls C_DeriveKey, so the
51+
# vulnerable code path is not reachable. Fixed in Alpine v3.23 >= 0.26.2-r0 but the pinned
52+
# eclipse-temurin base image has not yet been rebuilt with it.
53+
# See: UID2-7376
54+
CVE-2026-2100 exp:2026-09-01

0 commit comments

Comments
 (0)