CVE-2021-28905

Name of the Vulnerable Software and Affected Versions libyang versions prior to 1.0.226

Description The issue is related to the function lys node free() in the libyang library, where it incorrectly asserts that the value of node->module cannot be NULL. However, in certain cases, node->module can indeed be null, leading to a reachable assertion. This can potentially allow a remote attacker to cause a denial of service.

Recommendations For libyang versions prior to 1.0.226, update to version 1.0.226 or later to resolve the issue. As a temporary workaround, consider modifying the lys node free() function to properly handle cases where node->module is null, until a patch is available.