CVE-2026-41401
Deferred Deferred - Pending Action
Heap Use-After-Free in libyang XML Parser

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulnCheck

Description
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41401
EUVD
EUVD-2026-31832
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cesnet libyang to 5.2.6 (exc)
cesnet libyang to 5.4.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41401 is a heap use-after-free write vulnerability in the libyang library, specifically in the function lyd_parser_set_data_flags. This flaw occurs when the metadata list pointers are incorrectly updated while freeing non-head default metadata entries during XML data parsing.

Attackers can exploit this vulnerability by submitting specially crafted YANG XML documents containing specific metadata attributes to applications that parse untrusted or semi-trusted XML data. This causes memory corruption by referencing and writing to freed heap memory.

The impact of this flaw can range from process crashes (denial of service) to potential code execution, depending on the memory allocator behavior and heap layout in the affected environment.

Impact Analysis

This vulnerability can impact you by causing applications that use libyang to parse attacker-controlled or semi-trusted XML-encoded YANG instance data to crash or behave unpredictably.

In some cases, the memory corruption caused by the use-after-free can lead to remote code execution, allowing attackers to execute arbitrary code within the context of the vulnerable application.

Typical affected scenarios include NETCONF/RESTCONF operations or configuration imports where untrusted XML data is parsed.

Overall, the vulnerability poses a risk of denial of service and potentially more severe security breaches depending on deployment specifics.

Detection Guidance

This vulnerability can be detected by monitoring applications that use libyang to parse XML-encoded YANG instance data, especially those handling untrusted or attacker-controlled input such as NETCONF/RESTCONF operations or configuration imports.

Detection involves identifying crashes or abnormal behavior in these applications when processing crafted YANG XML documents with specific metadata attributes.

Using memory error detection tools like AddressSanitizer (ASAN) during testing can reveal heap use-after-free writes related to this vulnerability.

While no specific commands are provided in the resources, you can use tools such as:

  • Running the vulnerable application under AddressSanitizer to detect heap use-after-free errors.
  • Monitoring application logs and crash reports for errors triggered by malformed YANG XML input.
  • Using network traffic analysis to detect suspicious or malformed YANG XML documents sent to services using libyang.
Mitigation Strategies

The primary immediate mitigation step is to update libyang to a patched version that fixes this vulnerability.

According to the resources, patches have been released (e.g., versions 5.2.6 and later, and 5.4.3 and later) that address this heap use-after-free issue.

Until the update can be applied, restrict or validate XML input to applications using libyang to prevent processing of untrusted or crafted YANG XML documents containing malicious metadata attributes.

Additionally, monitor affected applications for crashes or unusual behavior and consider applying runtime protections such as sandboxing or limiting privileges of processes using libyang.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart