VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-41401

CVE-2026-41401

Description

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

libyang before 5.2.6 has a heap use-after-free write in lyd_parser_set_data_flags via crafted XML metadata, causing crashes or potential code execution.

Vulnerability

A heap use-after-free write vulnerability exists in lyd_parser_set_data_flags within libyang versions before 5.2.6 [1]. The bug occurs in the metadata list management code during XML data parsing, specifically when freeing a non-head default metadata entry, the list head pointer is incorrectly updated [2]. This leaves a reference to freed heap memory that is subsequently written to [1]. The vulnerable code path is in src/parser_common.c at lines 316-319, and the write occurs in lyd_insert_meta at tree_data.c:1313 [2].

Exploitation

An attacker can trigger this vulnerability by submitting a crafted YANG XML document with specific metadata attributes to applications parsing untrusted XML data [1]. The attacker only needs network access to submit the malformed input to an application that uses libyang to parse XML-encoded YANG instance data (e.g., NETCONF/RESTCONF, config import) [2]. A proof-of-concept (PoC) has been developed by building the libyang fuzzer with address sanitizer and running it against a specially crafted input file, which reliably produces an ASAN report of a heap-use-after-free WRITE [2].

Impact

Successful exploitation causes memory corruption, leading to a process crash and, depending on allocator behavior and heap layout, may potentially allow code execution [2]. The impact primarily results in denial of service, but further compromise is possible in some deployments [2]. Any application using libyang to parse attacker-controlled or semi-trusted XML-encoded YANG instance data is affected [2].

Mitigation

The vulnerability is fixed in libyang version 5.2.6 [1][3]. The fix is included in commit 6b5ed47ee674fbe86b31bbebc4ff26889aeff38c [4]. Users should update to libyang 5.2.6 or later. As of the publication date (2026-05-26), no workarounds have been publicly disclosed for earlier versions [2].

References
  1. ANT-2026-TZQ1KH7E · libyang
  2. Heap Use-After-Free write in libyang XML metadata parsing (lyd_parse_data_mem / lyd_parse_mem_xml)
  3. libyang - Heap Use-After-Free Write in XML Metadata Parsing
  4. tests UPDATE deviate add ext instance · CESNET/libyang@6b5ed47

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
6b5ed47ee674

tests UPDATE deviate add ext instance

https://github.com/cesnet/libyangMichal VaskoMar 18, 2026via body-scan
commit
1 file changed · +9 0
  • tests/utests/schema/test_tree_schema_compile.c+9 0 modified
    @@ -3383,6 +3383,15 @@ test_deviation(void **state)
     assert_string_equal(node->name, "l");
     assert_null(node->next);
 
+    /* extension */
+    assert_int_equal(LY_SUCCESS, lys_parse_mem(UTEST_LYCTX, "module mod-a {namespace urn:mod-a;prefix a;"
+            "container cont {leaf l {type string;} leaf l2 {type string;}}}", LYS_IN_YANG, NULL));
+    assert_int_equal(LY_SUCCESS, lys_parse_mem(UTEST_LYCTX, "module mod-b {namespace urn:mod-b;prefix b;"
+            "extension ext1; extension ext2;}", LYS_IN_YANG, NULL));
+    assert_int_equal(LY_SUCCESS, lys_parse_mem(UTEST_LYCTX, "module mod-c {namespace urn:mod-c;prefix c;"
+            "import mod-a {prefix a;} import mod-b {prefix b;}"
+            "deviation \"/a:cont/a:l\" {deviate add {b:ext1;}}}", LYS_IN_YANG, NULL));
+
     /* default identity referencing deprecated */
     ly_ctx_set_module_imp_clb(UTEST_LYCTX, test_imp_clb, "module a1-imp {namespace urn:a1-imp;prefix a1i;"
             "identity id-base;"

Vulnerability mechanics

Root cause

"Incorrect update of the metadata list head pointer when freeing a non-head "default" metadata entry, leaving a dangling reference to freed heap memory that is subsequently written to."

Attack vector

An attacker submits a crafted YANG XML document containing specific metadata attributes to an application that uses libyang to parse XML-encoded YANG instance data (e.g., NETCONF/RESTCONF, config import). During parsing, the code in `lyd_parser_set_data_flags` at `src/parser_common.c:316-319` incorrectly updates the metadata linked-list head pointer when freeing a non-head "default" metadata entry [ref_id=1][ref_id=2]. This leaves a reference to freed heap memory, and a subsequent write operation (observed at `lyd_insert_meta` in `tree_data.c:1313`) writes into the freed memory, causing a heap use-after-free write [ref_id=2]. The precondition is that the attacker can supply untrusted XML data to a libyang-based parser; no special privileges beyond the ability to submit such data are required.

Affected code

The vulnerable code is in `lyd_parser_set_data_flags` at `src/parser_common.c:316-319`, where the metadata list head pointer is incorrectly updated when freeing a non-head "default" metadata entry [ref_id=1][ref_id=2]. The use-after-free write manifests at `lyd_insert_meta` in `tree_data.c:1313` [ref_id=2].

What the fix does

The patch [patch_id=2562548] adds a regression test in `test_deviation` that exercises the metadata parsing path with extension instances, ensuring the metadata list head pointer is correctly maintained. The fix itself is not shown in the diff excerpt, but the advisory confirms that the root cause is in `lyd_parser_set_data_flags` at `src/parser_common.c:316-319`, where the list head pointer was incorrectly updated when freeing a non-head default metadata entry [ref_id=1][ref_id=2]. The corrected logic ensures that when a non-head entry is freed, the list head pointer is not left dangling, preventing subsequent writes from targeting freed heap memory.

Preconditions

  • inputAttacker must supply a crafted YANG XML document with specific metadata attributes to a libyang-based parser.
  • networkThe application must accept and parse attacker-controlled or semi-trusted XML-encoded YANG instance data (e.g., via NETCONF/RESTCONF or config import).

Reproduction

Build fuzzers with AddressSanitizer: `git clone https://github.com/google/oss-fuzz.git && cd oss-fuzz && python3 infra/helper.py build_fuzzers --sanitizer address libyang`. Then reproduce with: `python3 infra/helper.py reproduce libyang lyd_parse_mem_xml poc.bin`. Expected output: ASAN reports heap-use-after-free WRITE in `lyd_insert_meta` at `tree_data.c:1313` [ref_id=2].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.