CVE-2026-41401 MEDIUM

CVE-2026-41401: libyang - Heap Use-After-Free Write in XML Metadata Parsing

Vendor Libyang
Product libyang
Weakness CWE-416
Published May 26, 2026
Last update May 26, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 26, 2026 Record updated