PatchSiren cyber security CVE debrief
CVE-2026-44673 CESNET CVE debrief
CVE-2026-44673 is an integer overflow vulnerability in libyang, a YANG data modeling language library. The vulnerability can result in a heap buffer overflow, allowing an attacker to trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15. The Common Vulnerability Scoring System (CVSS) score for this vulnerability is 7.5, indicating a high severity. The vulnerability was published on May 14, 2026, and last modified on June 30, 2026.
- Vendor
- CESNET
- Product
- libyang
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-14
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-14
- Advisory updated
- 2026-06-30
Who should care
Network administrators, security teams, and developers using libyang or products that incorporate libyang should be aware of this vulnerability. This includes users of NETCONF servers, sysrepo, and other libyang consumers. Red Hat users may also be affected, as indicated by multiple Red Hat errata references.
Technical summary
The vulnerability exists in the lyb_read_string() function in src/parser_lyb.c of libyang. An integer overflow occurs when parsing a maliciously crafted LYB binary blob, leading to a heap buffer overflow. This can be exploited by an attacker who can supply LYB data to any libyang consumer. The vulnerability is classified under CWE-190, Integer Overflow. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.
Defensive priority
This vulnerability has a high CVSS score of 7.5 and can lead to a crash or potential heap corruption. Immediate attention should be given to updating libyang to version SO 5.2.15 or later to mitigate this vulnerability.
Recommended defensive actions
- Update libyang to version SO 5.2.15 or later
- Review and update affected products that incorporate libyang
- Monitor for suspicious LYB data being supplied to libyang consumers
- Implement additional security measures to detect and prevent heap buffer overflows
- Verify and validate input data to prevent maliciously crafted LYB binary blobs
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. Multiple Red Hat errata references and a GitHub security advisory offer additional context and potential mitigations. The vulnerability is confirmed to be fixed in SO 5.2.15.
Official resources
-
CVE-2026-44673 CVE record
CVE.org
-
CVE-2026-44673 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.