CVE-2026-41401
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Summary
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| libyang | libyang | 0 < 5.4.3 | affected |
| libyang | libyang | 5.4.3 | unaffected |
Weaknesses
- CWE-416: Use After Free
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
- https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
- https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
References
- https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
- https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
- https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
- https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.