CVE-2026-41401
Heap Use-After-Free in libyang XML Parser
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cesnet | libyang | to 5.2.6 (exc) |
| cesnet | libyang | to 5.4.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41401 is a heap use-after-free write vulnerability in the libyang library, specifically in the function lyd_parser_set_data_flags. This flaw occurs when the metadata list pointers are incorrectly updated while freeing non-head default metadata entries during XML data parsing.
Attackers can exploit this vulnerability by submitting specially crafted YANG XML documents containing specific metadata attributes to applications that parse untrusted or semi-trusted XML data. This causes memory corruption by referencing and writing to freed heap memory.
The impact of this flaw can range from process crashes (denial of service) to potential code execution, depending on the memory allocator behavior and heap layout in the affected environment.
How can this vulnerability impact me? :
This vulnerability can impact you by causing applications that use libyang to parse attacker-controlled or semi-trusted XML-encoded YANG instance data to crash or behave unpredictably.
In some cases, the memory corruption caused by the use-after-free can lead to remote code execution, allowing attackers to execute arbitrary code within the context of the vulnerable application.
Typical affected scenarios include NETCONF/RESTCONF operations or configuration imports where untrusted XML data is parsed.
Overall, the vulnerability poses a risk of denial of service and potentially more severe security breaches depending on deployment specifics.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring applications that use libyang to parse XML-encoded YANG instance data, especially those handling untrusted or attacker-controlled input such as NETCONF/RESTCONF operations or configuration imports.
Detection involves identifying crashes or abnormal behavior in these applications when processing crafted YANG XML documents with specific metadata attributes.
Using memory error detection tools like AddressSanitizer (ASAN) during testing can reveal heap use-after-free writes related to this vulnerability.
While no specific commands are provided in the resources, you can use tools such as:
- Running the vulnerable application under AddressSanitizer to detect heap use-after-free errors.
- Monitoring application logs and crash reports for errors triggered by malformed YANG XML input.
- Using network traffic analysis to detect suspicious or malformed YANG XML documents sent to services using libyang.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to update libyang to a patched version that fixes this vulnerability.
According to the resources, patches have been released (e.g., versions 5.2.6 and later, and 5.4.3 and later) that address this heap use-after-free issue.
Until the update can be applied, restrict or validate XML input to applications using libyang to prevent processing of untrusted or crafted YANG XML documents containing malicious metadata attributes.
Additionally, monitor affected applications for crashes or unusual behavior and consider applying runtime protections such as sandboxing or limiting privileges of processes using libyang.