Skip to main content

libyang CVE-2026-44673

| EUVDEUVD-2026-30484 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-05-14 security-advisories@github.com
7.5
CVSS 3.1 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 22:05 vuln.today
CVE Published
May 14, 2026 - 21:16 nvd
HIGH 7.5

DescriptionCVE.org

libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

AnalysisAI

Integer overflow in libyang's lyb_read_string() function leads to heap buffer overflow during LYB binary parsing, enabling remote denial-of-service attacks against NETCONF servers, sysrepo, and other YANG data consumers. The vulnerability (CWE-190) allows unauthenticated attackers to crash services by supplying maliciously crafted LYB blobs over network connections. Fixed in version SO 5.2.15. CVSS 7.5 (High) with network attack vector and low complexity, though currently limited to availability impact. No active exploitation confirmed (not in CISA KEV); public exploit code status unknown.

Technical ContextAI

libyang is a C library implementing the YANG data modeling language (RFC 7950), used extensively in network device configuration and NETCONF protocol implementations. The vulnerability resides in the LYB (libyang binary) format parser, specifically the lyb_read_string() function in src/parser_lyb.c. An integer overflow (CWE-190) occurs during buffer size calculations when processing string length fields in LYB binary data, causing the allocation of an insufficiently sized heap buffer. Subsequent data copying operations then overflow this undersized buffer, corrupting adjacent heap memory. This class of vulnerability affects any system accepting untrusted LYB input, including NETCONF servers handling remote configuration requests, sysrepo datastore operations, and custom applications using libyang's binary deserialization.

RemediationAI

Upgrade to libyang SO 5.2.15 or later immediately, as confirmed by GitHub Security Advisory GHSA-vw2p-pq79-92xh. This vendor-released patch addresses the integer overflow in lyb_read_string() and is the primary remediation path. For environments unable to patch immediately, implement input validation to reject untrusted LYB binary data at service boundaries - restrict NETCONF servers and sysrepo instances to accept only XML/JSON YANG formats from untrusted sources, disabling LYB binary format handling where operationally feasible. This workaround trades convenience for security but carries operational overhead in high-throughput environments relying on LYB's performance characteristics. Network segmentation limiting NETCONF access to authenticated management networks reduces attack surface but does not eliminate risk from compromised administrative systems. Application-layer firewalls can inspect NETCONF traffic to filter malformed requests, though LYB binary format complexity makes effective signature-based detection challenging without deep protocol parsing. Monitor libyang-consuming services for unexpected crashes or memory corruption indicators post-patch to verify remediation effectiveness. Review https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh for additional vendor guidance and affected version confirmation.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Server Applications 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-44673 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy