vulnerability
FreeBSD: VID-5786185a-9a43-11e8-b34b-6cc21735f730: xml-security-c -- crashes on malformed KeyInfo content
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | Aug 7, 2018 | Aug 8, 2018 | Dec 10, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:C)
Published
Aug 7, 2018
Added
Aug 8, 2018
Modified
Dec 10, 2025
Description
The shibboleth project reports: SAML messages, assertions, and metadata all commonly make use of the XML Signature KeyInfo construct, which expresses information about keys and certificates used in signing or encrypting XML. The Apache Santuario XML Security for C++ library contained code paths at risk of dereferencing null pointers when processing various kinds of malformed KeyInfo hints typically found in signed or encrypted XML. The usual effect is a crash, and in the case of the Shibboleth SP software, a crash in the shibd daemon, which prevents access to protected resources until the daemon is restarted.
Solution
freebsd-upgrade-package-apache-xml-security-c
References
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.