CVE-2026-41401 libyang CVE debrief

Who should care

Organizations running network management systems, SDN controllers, or other infrastructure that uses libyang for YANG data modeling should prioritize patching. This includes telecommunications providers, enterprise network operators, and cloud infrastructure teams relying on NETCONF/RESTCONF implementations that depend on libyang for XML parsing.

Technical summary

The vulnerability exists in the lyd_parser_set_data_flags function of libyang, a YANG data modeling language library. When parsing YANG XML documents containing metadata attributes, the function incorrectly handles pointer updates during the freeing of non-head default metadata entries. This results in a heap use-after-free write condition. An attacker can exploit this by submitting maliciously crafted YANG XML documents to applications that parse untrusted XML input. Successful exploitation may lead to process crashes (denial of service) or potentially arbitrary code execution. The vulnerability requires low privileges and has low attack complexity, making it accessible to remote attackers in scenarios where untrusted XML is processed.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade libyang to version 5.2.6 or later to address the heap use-after-free vulnerability
• Review applications that parse untrusted YANG XML data and implement input validation
• Monitor for security advisories from CESNET/libyang for additional guidance
• Assess exposure of applications using libyang for XML parsing of external data
• Consider network segmentation for systems processing untrusted YANG XML documents

Evidence notes

The vulnerability is classified as CWE-416 (Use After Free). The CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and high availability impact. The vulnerability status in NVD is currently 'Deferred'.

Official resources