libyang - Heap Use-After-Free Write in XML Metadata Parsing | Advisories

Advisories

libyang - Heap Use-After-Free Write in XML Metadata Parsing

severity: medium
date: 5/26/2026
Affecting: libyang < 5.4.3
CVE: CVE-2026-41401
CWE: CWE-416 Use After Free
CVSS: 6.9
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: GHSA Advisory GHSA-9f49-8x56-jmjc
https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
Anthropic CVD Finding ANT-2026-TZQ1KH7E
Credit: kevin-valerio
Description: libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo