CVE-2026-41401

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing
https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E

Configurations

No configuration.

History

26 May 2026, 18:16

Type	Values Removed	Values Added
References	~~() https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc -~~	() https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc -
References	~~() https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E -~~	() https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E -

26 May 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-26 15:16

Updated : 2026-05-26 19:47

NVD link : CVE-2026-41401

Mitre link : CVE-2026-41401

CVE.ORG link : CVE-2026-41401

JSON object : View

Products Affected

No product.

CWE

CWE-416

Use After Free

{"id": "CVE-2026-41401", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-26T15:16:35.660", "references": [{"url": "https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc", "source": "disclosure@vulncheck.com"}, {"url": "https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E", "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing", "source": "disclosure@vulncheck.com"}, {"url": "https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution."}], "lastModified": "2026-05-26T19:47:48.987", "sourceIdentifier": "disclosure@vulncheck.com"}