From 0ea1edcb3de9650a60df5509dc76ec2a9e6f12e1 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Fri, 26 Jun 2026 12:51:17 +1000 Subject: [PATCH] UID2-7376: suppress CVE-2026-2100 (p11-kit) - not exploitable CVE-2026-2100 is a NULL pointer dereference in p11-kit (Alpine base image) triggered via C_DeriveKey. Our services are pure Java: the JVM uses JSSE for TLS and the Java cacerts keystore for trust, and never loads the native p11-kit PKCS#11 module loader or calls C_DeriveKey, so the vulnerable code path is not reachable. Following the established treatment for non-exploitable native base-image CVEs (cf. CVE-2026-45447 libcrypto3), this is suppressed in .trivyignore with a 'not reachable from the JVM' rationale and an expiry, rather than upgraded. A fix exists in Alpine v3.23 (>= 0.26.2-r0) but the pinned eclipse-temurin base image has not yet been rebuilt with it; the expiry resurfaces this for review once that lands. Co-Authored-By: Claude Opus 4.8 (1M context) --- .trivyignore | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.trivyignore b/.trivyignore index 92de5f0e..21d73c3d 100644 --- a/.trivyignore +++ b/.trivyignore @@ -30,3 +30,11 @@ CVE-2026-42577 exp:2026-09-11 # See: UID2-7364 CVE-2026-54512 exp:2026-07-25 CVE-2026-54513 exp:2026-07-25 + +# CVE-2026-2100 — p11-kit NULL dereference via C_DeriveKey in the Alpine base image. +# uid2-admin is a pure Java service; the JVM uses JSSE for TLS and the bundled Java cacerts keystore for trust — it does +# not load the native p11-kit PKCS#11 module loader and never calls C_DeriveKey, so the +# vulnerable code path is not reachable. Fixed in Alpine v3.23 >= 0.26.2-r0 but the pinned +# eclipse-temurin base image has not yet been rebuilt with it. +# See: UID2-7376 +CVE-2026-2100 exp:2026-09-01