UBUNTU-CVE-2026-41401
- Source
- https://ubuntu.com/security/CVE-2026-41401
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41401.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-41401
- Upstream
- Published
- 2026-05-26T15:16:00Z
- Modified
- 2026-06-16T21:45:31.020820892Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lydparsersetdataflags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
- References
-
- https://ubuntu.com/security/CVE-2026-41401
- https://www.cve.org/CVERecord?id=CVE-2026-41401
- https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
- https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
- https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
- https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing
Affected packages
Ubuntu:20.04:LTS / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/ubuntu/libyang?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "0.16.105-3build1",
"binary_name": "libyang-cpp0.16"
},
{
"binary_version": "0.16.105-3build1",
"binary_name": "libyang0.16"
},
{
"binary_version": "0.16.105-3build1",
"binary_name": "python3-yang"
},
{
"binary_version": "0.16.105-3build1",
"binary_name": "yang-tools"
}
]
}
Ubuntu:22.04:LTS / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/ubuntu/libyang?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_version": "1.0.225-1.1",
"binary_name": "libyang-cpp1"
},
{
"binary_version": "1.0.225-1.1",
"binary_name": "libyang-tools"
},
{
"binary_version": "1.0.225-1.1",
"binary_name": "libyang1"
},
{
"binary_version": "1.0.225-1.1",
"binary_name": "yang-tools"
}
]
}
Ubuntu:25.10 / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/ubuntu/libyang?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ubuntu:26.04:LTS / libyang
Package
- Name
- libyang
- Purl
- pkg:deb/ubuntu/libyang?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected