PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44673 CESNET CVE debrief

CVE-2026-44673 is an integer overflow vulnerability in libyang, a YANG data modeling language library. The vulnerability can result in a heap buffer overflow, allowing an attacker to trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on May 14, 2026, and last modified on June 30, 2026.

Vendor
CESNET
Product
libyang
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-06-30
Advisory published
2026-05-14
Advisory updated
2026-06-30

Who should care

Network administrators, security teams, and developers using libyang or products that incorporate libyang should be aware of this vulnerability. This includes users of NETCONF servers, sysrepo, and other libyang consumers. Red Hat users may also be affected, as indicated by multiple Red Hat errata references.

Technical summary

The vulnerability exists in the lyb_read_string() function in src/parser_lyb.c of libyang. An integer overflow occurs when parsing a maliciously crafted LYB binary blob, leading to a heap buffer overflow. This can be exploited by an attacker who can supply LYB data to any libyang consumer. The vulnerability is classified under CWE-190, Integer Overflow. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.

Defensive priority

This vulnerability has a high CVSS score of 7.5 and can lead to a crash or potential heap corruption. Immediate attention should be given to updating libyang to version SO 5.2.15 or later to mitigate this vulnerability.

Recommended defensive actions

  • Update libyang to version SO 5.2.15 or later
  • Review and update affected products that incorporate libyang
  • Monitor for suspicious LYB data being supplied to libyang consumers
  • Implement additional security measures to detect and prevent heap buffer overflows
  • Verify and validate input data to prevent maliciously crafted LYB binary blobs

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Multiple Red Hat errata references and a GitHub security advisory offer additional context and potential mitigations. The vulnerability is confirmed to be fixed in SO 5.2.15.

Official resources

This article is AI-assisted and based on the supplied source corpus.