NULL Pointer Dereference Affecting pam_pkcs11 package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about NULL Pointer Dereference vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-RHEL6-PAMPKCS11-8708647
- published11 Feb 2025
- disclosed10 Feb 2025
Introduced: 10 Feb 2025
NewCVE-2025-24031 (opens in a new tab)How to fix?
There is no fixed version for RHEL:6 pam_pkcs11.
NVD Description
Note: Versions mentioned in the description apply only to the upstream pam_pkcs11 package and not the pam_pkcs11 package as distributed by RHEL.
See How to fix? for RHEL:6 relevant fixed versions and status.
PAM-PKCS#11 is a Linux-PAM login module that allows a X.509 certificate based user login. In versions 0.6.12 and prior, the pam_pkcs11 module segfaults when a user presses ctrl-c/ctrl-d when they are asked for a PIN. When a user enters no PIN at all, pam_get_pwd will never initialize the password buffer pointer and as such cleanse will try to dereference an uninitialized pointer. On my system this pointer happens to have the value 3 most of the time when running sudo and as such it will segfault. The most likely impact to a system affected by this issue is an availability impact due to a daemon that uses PAM crashing. As of time of publication, a patch for the issue is unavailable.
References
- https://access.redhat.com/security/cve/CVE-2025-24031
- https://github.com/OpenSC/pam_pkcs11/blob/bb2e3f3a95e44fdf44b0d5a4b377db3179021380/src/pam_pkcs11/pam_pkcs11.c#L211
- https://github.com/OpenSC/pam_pkcs11/blob/bb2e3f3a95e44fdf44b0d5a4b377db3179021380/src/pam_pkcs11/pam_pkcs11.c#L797
- https://github.com/OpenSC/pam_pkcs11/security/advisories/GHSA-wvr3-c9x3-9mff