Heap Use-After-Free Vulnerability in libyang Affects Applications Parsing Untrusted XML
CVE-2026-41401

6.9MEDIUM

Key Information:

Vendor: Libyang
Status: Libyang
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-41401?

The libyang library, prior to version 5.2.6, contains a heap use-after-free write vulnerability within the lyd_parser_set_data_flags function. This issue occurs due to improper handling of metadata list pointers when freeing non-head default metadata entries. Attackers can exploit this flaw by sending specially crafted YANG XML documents containing malicious metadata attributes to applications that process untrusted XML data. Successful exploitation may lead to application crashes or potential execution of arbitrary code, posing significant risks to affected systems.

Affected Version(s)

libyang 0 < 5.4.3

libyang 5.4.3

References

https://github.com/CESNET/libyang/security/advisories/GHS...

vendor-advisory

https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe8...

patch

https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1...

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
Apr 20, 2026

Credit

kevin-valerio

CVE-2026-41401 Data

JSON

Libyang

What is CVE-2026-41401?

Affected Version(s)

References

CVSS V4

Timeline

Credit