Cesnet Libyang

libyang <5.2.15 LYB parser heap overflow
CVE-2026-44673 7.5 - High - May 14, 2026

libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

Integer Overflow or Wraparound

libyang NULL pointer deref in lysp_stmt_validate_value before 2.1.30
CVE-2023-26917 7.5 - High - April 11, 2023

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.

NULL Pointer Dereference

NULL Deref in libyang 2.0.164-2.1.30 via lys_parse_mem
CVE-2023-26916 5.3 - Medium - April 03, 2023

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lys_parse_mem at lys_parse_mem.c.

NULL Pointer Dereference

In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL
CVE-2021-28902 7.5 - High - May 20, 2021

In function read_yin_container() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.

Unchecked Return Value

A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem()
CVE-2021-28903 7.5 - High - May 20, 2021

A stack overflow in libyang <= v1.0.225 can cause a denial of service through function lyxml_parse_mem(). lyxml_parse_elem() function will be called recursively, which will consume stack space and lead to crash.

Stack Exhaustion

In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL
CVE-2021-28904 7.5 - High - May 20, 2021

In function ext_get_plugin() in libyang <= v1.0.225, it doesn't check whether the value of revision is NULL. If revision is NULL, the operation of strcmp(revision, ext_plugins[u].revision) will lead to a crash.

Unchecked Return Value

In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL
CVE-2021-28905 7.5 - High - May 20, 2021

In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617).

assertion failure

In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL
CVE-2021-28906 7.5 - High - May 20, 2021

In function read_yin_leaf() in libyang <= v1.0.225, it doesn't check whether the value of retval->ext[r] is NULL. In some cases, it can be NULL, which leads to the operation of retval->ext[r]->flags that results in a crash.

Unchecked Return Value

A NULL pointer dereference is present in libyang before v1.0-r3 in the function lys_extension_instances_free() due to a copy of unresolved extensions in lys_restr_dup()
CVE-2019-20398 - January 22, 2020

A NULL pointer dereference is present in libyang before v1.0-r3 in the function lys_extension_instances_free() due to a copy of unresolved extensions in lys_restr_dup(). Applications that use libyang to parse untrusted input yang files may crash.

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated
CVE-2019-20397 - January 22, 2020

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing.
CVE-2019-20396 - January 22, 2020

A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing.

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs
CVE-2019-20395 - January 22, 2020

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.

A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement
CVE-2019-20394 - January 22, 2020

A double-free is present in libyang before v1.0-r3 in the function yyparse() when a type statement in used in a notification statement. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used
CVE-2019-20393 - January 22, 2020

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.

An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node
CVE-2019-20392 - January 22, 2020

An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.

An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit
CVE-2019-20391 - January 22, 2020

An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.

In all versions of libyang before 1.0-r5
CVE-2019-19333 - December 06, 2019

In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "bits". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.

Stack Overflow

In all versions of libyang before 1.0-r5
CVE-2019-19334 - December 06, 2019

In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.

Stack Overflow