Description
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

libyang before 5.2.6 contains a heap use‑after‑free write vulnerability in the function lyd_parser_set_data_flags. The error occurs when the code updates metadata list pointers after freeing non‑head default metadata entries, which can lead to memory corruption. Attackers can trigger the flaw by submitting specially crafted YANG XML documents with particular metadata attributes to applications that parse untrusted XML data, potentially causing a process crash or enabling execution of arbitrary code.

Affected Systems

The affected product is libyang, maintained by CESNET. All releases prior to version 5.2.6 are vulnerable; applications that integrate libyang in this range are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, and the EPSS score is currently unavailable. The vulnerability is not listed in CISA KEV. The likely attack vector is remote: an attacker can send crafted YANG XML documents to a vulnerable system over any interface that allows XML parsing, thereby provoking the use‑after‑free condition and potentially gaining code execution. The exploitation requires that the target application exposes a parsing endpoint to untrusted input.

Generated by OpenCVE AI on May 26, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libyang to version 5.2.6 or later to patch the use‑after‑free flaw.
  • If upgrading immediately is not possible, disable metadata parsing or configure the application to reject metadata attributes in YANG XML documents, limiting exposure to the vulnerable code path.
  • Restrict XML parsing to trusted inputs or execute the parsing process in a sandboxed environment to contain any potential exploitation.

Generated by OpenCVE AI on May 26, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
Title libyang - Heap Use-After-Free Write in XML Metadata Parsing
First Time appeared Cesnet
Cesnet libyang
Weaknesses CWE-416
CPEs cpe:2.3:a:cesnet:libyang:*:*:*:*:*:*:*:*
Vendors & Products Cesnet
Cesnet libyang
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Cesnet Libyang
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T17:58:08.114Z

Reserved: 2026-04-20T14:15:22.223Z

Link: CVE-2026-41401

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T15:16:35.660

Modified: 2026-05-26T15:16:35.660

Link: CVE-2026-41401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:00:11Z

Weaknesses