CVE-2026-44673 PUBLISHED

libyang: lyb_read_string() integer overflow → heap buffer overflow

Assigner: GitHub_M
Reserved: 07.05.2026 Published: 14.05.2026 Updated: 14.05.2026

libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	CESNET
Product	libyang
Versions	Version < SO 5.2.15 is affected

References

https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh

Problem Types

CWE-190: Integer Overflow or Wraparound CWE