CVE-2019-20398

Name of the Vulnerable Software and Affected Versions libyang versions prior to 1.0-r3

Description A NULL pointer dereference issue is present in the lys extension instances free() function due to a copy of unresolved extensions in lys restr dup(). This can cause applications that use libyang to parse untrusted input yang files to crash.

Recommendations For versions prior to 1.0-r3, update to version 1.0-r3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of lys extension instances free() and lys restr dup() functions when parsing untrusted input yang files until a patch is available. Restrict access to untrusted yang files to minimize the risk of exploitation.