CVE-2019-20393

Name of the Vulnerable Software and Affected Versions: libyang versions prior to v1.0-r1

Description: A double-free issue is present in the yyparse() function when an empty description is used, potentially causing a crash or code execution. This issue affects applications that use libyang to parse untrusted input yang files. The flaw can be exploited by a remote attacker to execute arbitrary code or cause a denial of service.

Recommendations: For versions prior to v1.0-r1, update to version v1.0-r1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the yyparse() function when parsing untrusted input yang files until a patch is available. Avoid using empty descriptions in yang files to minimize the risk of exploitation.