Skip to main content

libyang EUVDEUVD-2026-31832

| CVE-2026-41401 HIGH
Use After Free (CWE-416)
2026-05-26 VulnCheck GHSA-v7jp-vmx6-5429
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 10:32 vuln.today
Analysis Generated
Jun 08, 2026 - 10:32 vuln.today
Severity Changed
May 26, 2026 - 15:22 NVD
MEDIUM HIGH
CVSS changed
May 26, 2026 - 15:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)

DescriptionCVE.org

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

AnalysisAI

Heap use-after-free write in libyang before 5.2.6 enables remote authenticated attackers to crash processes or potentially execute code by submitting crafted YANG XML documents to applications using the library for parsing. The flaw resides in lyd_parser_set_data_flags, which mishandles metadata list pointers when freeing non-head default metadata entries. No public exploit identified at time of analysis, EPSS is low at 0.03%, and SSVC rates technical impact as partial with no automatable exploitation.

Technical ContextAI

libyang is the CESNET-maintained C library that parses, validates, and manipulates YANG-modeled data, widely embedded in network management stacks including sysrepo, FRRouting, and Red Hat/SUSE platform tooling for NETCONF/RESTCONF processing. The vulnerability is a CWE-416 Use-After-Free in the XML metadata parsing path: lyd_parser_set_data_flags incorrectly updates the linked-list pointers of default metadata entries when a non-head entry is freed, leaving a dangling pointer that is later written to. Because libyang sits at the XML-to-internal-tree boundary, any application that hands attacker-influenced YANG XML to the parser inherits the bug. The affected CPE is cpe:2.3:a:libyang:libyang covering all versions before the fixed release.

RemediationAI

Upgrade libyang to the patched release identified by CESNET (the CVE text cites 5.2.6; the EUVD record implies 5.4.3 - confirm the exact version via the GHSA-9f49-8x56-jmjc advisory at https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc, with the fix commit at https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c). For Red Hat and SUSE deployments, apply the distribution-provided libyang package update once published. Where immediate patching is not possible, restrict the ability of low-privileged users to submit arbitrary YANG XML to NETCONF/RESTCONF or sysrepo endpoints by tightening NACM/AAA rules and network ACLs on management interfaces, and consider validating or rejecting client-supplied XML containing unexpected metadata attributes at a proxy; the trade-off is potential disruption of legitimate management automation that relies on those metadata extensions.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Module for Server Applications 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected

Share

EUVD-2026-31832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy