Null Pointer Dereference in libyang Affects CESNET's YANG Data Modeling
CVE-2021-28902

7.5HIGH

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 20 May 2021

What is CVE-2021-28902?

A vulnerability exists in the libyang library, where the function read_yin_container() fails to validate the retval->ext[r] pointer. If this pointer is NULL, subsequent operations on retval->ext[r]->flags may lead to application crashes. This can disrupt services relying on YANG data modeling, affecting the stability and reliability of dependent systems. It is crucial for users to upgrade to newer versions to mitigate the risk associated with this issue.

References

https://github.com/CESNET/libyang/issues/1454

x_refsource_CONFIRM

https://security.gentoo.org/glsa/202107-54

vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2021
Vulnerability Reserved
Mar 19, 2021

CVE-2021-28902 Data

JSON

Cesnet

What is CVE-2021-28902?

References

CVSS V3.1

Timeline