CVE-2019-20392

Name of the Vulnerable Software and Affected Versions libyang versions prior to 1.0-r1

Description An invalid memory access flaw is present in the function resolve feature value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.

Recommendations For versions prior to 1.0-r1, update to version 1.0-r1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of if-feature statements inside list key nodes until a patch is available. Restrict access to untrusted input yang files to minimize the risk of exploitation.