PT-2026-43252 · Libyang · Libyang

Kevin-Valerio

·

Published

2026-05-26

·

Updated

2026-06-10

·

CVE-2026-41401

CVSS v4.0

7.1

High

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions libyang versions prior to 5.2.6
Description A heap use-after-free write occurs in the lyd parser set data flags() function. This happens when the software incorrectly updates metadata list pointers while freeing non-head default metadata entries. An attacker can trigger this by submitting crafted YANG XML documents containing specific metadata attributes to applications that parse untrusted XML data, which may lead to process crashes or potential code execution.
Recommendations Update to version 5.2.6 or later.

Exploit

Fix

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

CVE-2026-41401
OPENSUSE-SU-2026:10868-1
SUSE-SU-2026:2334-1
SUSE-SU-2026:2335-1
SUSE-SU-2026:2337-1

Affected Products

Libyang