CVE-2021-31826
Description
Shibboleth Service Provider 3.x before 3.2.2 has a NULL pointer dereference in its session recovery feature that allows a remote, unauthenticated attacker to crash the shibd daemon via a crafted cookie.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Shibboleth Service Provider 3.x before 3.2.2 has a NULL pointer dereference in its session recovery feature that allows a remote, unauthenticated attacker to crash the shibd daemon via a crafted cookie.
Vulnerability
Shibboleth Service Provider versions 3.x prior to 3.2.2 contain a NULL pointer dereference vulnerability in the cookie-based session recovery feature introduced in V3.0 [1]. The flaw is reachable even on systems that do not use this feature, provided a specially crafted cookie is supplied [1].
Exploitation
A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted cookie to the target system [1]. No prior knowledge of the session or any authentication is required; the cookie triggers the NULL pointer dereference in the session recovery code path, causing a crash of the shibd daemon process [1].
Impact
Successful exploitation results in a denial of service (DoS) condition due to the crash of the shibd daemon [1]. The crash can be easily triggered remotely, making the system unavailable for processing authentication requests [1].
Mitigation
Update to Shibboleth Service Provider version 3.2.2 or later, which contains the fix for this issue [1]. As a workaround, configuring a DataSealer component in shibboleth2.xml (even if not used for anything else) will prevent the crash [1]. Note that versions prior to V3.0 are not vulnerable [1]. The fix commit is 5a47c3b9378f4c49392dd4d15189b70956f9f2ec in the cpp-sp repository [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Shibboleth/Service Providerdescription
- Range: >=3.0, <3.2.2
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- www.debian.org/security/2021/dsa-4905mitrevendor-advisoryx_refsource_DEBIAN
- bugs.debian.org/987608mitrex_refsource_MISC
- git.shibboleth.net/view/mitrex_refsource_MISC
- issues.shibboleth.net/jira/browse/SSPCPP-927mitrex_refsource_MISC
- shibboleth.net/community/advisories/secadv_20210426.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.