Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.
AnalysisAI
Integer overflow in libyang's lyb_read_string() function leads to heap buffer overflow during LYB binary parsing, enabling remote denial-of-service attacks against NETCONF servers, sysrepo, and other YANG data consumers. The vulnerability (CWE-190) allows unauthenticated attackers to crash services by supplying maliciously crafted LYB blobs over network connections. Fixed in version SO 5.2.15. CVSS 7.5 (High) with network attack vector and low complexity, though currently limited to availability impact. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.
Technical ContextAI
libyang is a C library implementing the YANG data modeling language (RFC 7950), used extensively in network device configuration and NETCONF protocol implementations. The vulnerability resides in the LYB (libyang binary) format parser, specifically the lyb_read_string() function in src/parser_lyb.c. An integer overflow (CWE-190) occurs during buffer size calculations when processing string length fields in LYB binary data, causing the allocation of an insufficiently sized heap buffer. Subsequent data copying operations then overflow this undersized buffer, corrupting adjacent heap memory. This class of vulnerability affects any system accepting untrusted LYB input, including NETCONF servers handling remote configuration requests, sysrepo datastore operations, and custom applications using libyang's binary deserialization.
RemediationAI
Upgrade to libyang SO 5.2.15 or later immediately, as confirmed by GitHub Security Advisory GHSA-vw2p-pq79-92xh. This vendor-released patch addresses the integer overflow in lyb_read_string() and is the primary remediation path. For environments unable to patch immediately, implement input validation to reject untrusted LYB binary data at service boundaries - restrict NETCONF servers and sysrepo instances to accept only XML/JSON YANG formats from untrusted sources, disabling LYB binary format handling where operationally feasible. This workaround trades convenience for security but carries operational overhead in high-throughput environments relying on LYB's performance characteristics. Network segmentation limiting NETCONF access to authenticated management networks reduces attack surface but does not eliminate risk from compromised administrative systems. Application-layer firewalls can inspect NETCONF traffic to filter malformed requests, though LYB binary format complexity makes effective signature-based detection challenging without deep protocol parsing. Monitor libyang-consuming services for unexpected crashes or memory corruption indicators post-patch to verify remediation effectiveness. Review https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh for additional vendor guidance and affected version confirmation.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Enterprise Storage 7.1 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP3 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP3 | Fixed |
| SUSE Linux Enterprise Server 15 SP3-BCL | Fixed |
| SUSE Linux Enterprise Server 15 SP3-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy 4.2 | Fixed |
| SUSE Manager Retail Branch Server 4.2 | Fixed |
| SUSE Manager Server 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30484