CVE-2026-41401
Publication date 26 May 2026
Last updated 30 June 2026
Ubuntu priority
Description
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| libyang | 26.04 LTS resolute |
Fixed 3.13.6-1ubuntu0.1
|
| 25.10 questing |
Fixed 3.13.5-2ubuntu0.1
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| libyang2 | 26.04 LTS resolute | Not in release |
| 25.10 questing | Not in release | |
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
Notes
mdeslaur
This vulnerability was introduced in 2.2.8 by: https://github.com/CESNET/libyang/commit/ed39cbead79d8b2beb0aa5ffcea874677a17ea4a
Severity score breakdown
CVSS version:
Base score
7.1 · High
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Base score
6.5 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
Related Ubuntu Security Notices (USN)
- USN-8485-1
- libyang vulnerability
- 30 June 2026
Other references
- https://www.cve.org/CVERecord?id=CVE-2026-41401
- https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
- https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
- https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
- https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing