CVE-2026-41401

Published: Mag 26, 2026 Last Modified: Mag 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,1

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: unchanged

Confidentiality: none

Integrity: none

Availability: high

Description

AI Translation Available

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

416

Use After Free

Stable

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Availability Confidentiality

Potential Impacts:

Modify Memory Dos: Crash, Exit, Or Restart Read Memory Execute Unauthorized Code Or Commands

Applicable Platforms

Languages: Memory-Unsafe, C, C++

Likelihood of Exploit: High

View CWE Details

https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b…

https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff3…

https://github.com/CESNET/libyang/security/advisories/GHSA-…

https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc

https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH…

https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E

https://www.vulncheck.com/advisories/libyang-heap-use-after…

https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-m…