CVE-2019-19333

CVE-2019-19333 affects libyang pre-1.0-r5: a stack-based buffer overflow occurs when parsing YANG files with a bits leaf, enabling DoS and potentially code execution. Mitigation: upgrade libyang to 1.0-r5 or newer (fixed in that release). The description focuses on this vulnerability; other relat...

CVE-2021-28904

CVE-2021-28904 affects libyang up to version 1.0.225. The vulnerability is a NULL-check issue in ext_get_plugin(): if the revision value is NULL, the code path executes strcmp(revision, ext_plugins[u].revision) and can crash. Public sources describe this as a NULL pointer dereference condition in...

CVE-2021-28902

CVE-2021-28902 affects libyang and is caused by a missing NULL check in read_yin_container() for retval->ext[r], which can be NULL and cause a crash when accessing retval->ext[r]->flags. Affected version: libyang =1.0.236). Impact is a potential crash; no exploit details are provided in ...

CVE-2019-20391

CVE-2019-20391 affects libyang before v1.0-r3. The flaw is an invalid memory access in resolve_feature_value() when an if-feature statement is used inside a bit, which may cause a crash when parsing untrusted YANG input. Impact details in sources indicate potential denial of service with crashes;...

CVE-2021-28906

CVE-2021-28906 affects libyang ext[r] when it is NULL, causing a crash. Affected packages include libyang and distributions referencing this version. Impact is a crash/denial via NULL pointer dereference. Remediation in documented advisories is to upgrade to a fixed libyang version (e.g., >= 1...

CVE-2019-19334

CVE-2019-19334 affects libyang prior to 1.0-r5, where parsing YANG files containing a leaf of type identityref can trigger a stack-based buffer overflow. This may allow a remote attacker to cause a denial of service or possibly gain code execution when processing untrusted YANG data. The availabl...

CVE-2021-28903

CVE-2021-28903 affects libyang =1.0.236 (as noted in GLSA-202107-54) and vendor advisories (SUSE/RHEL) listing CVE-2021-28903 among unpatched or updated contexts. Monitor for updates from vendors and apply the appropriate libyang security update when available.

CVE-2021-28905

CVE-2021-28905 affects libyang in versions module is non-NULL; in some cases node->module is NULL, triggering a reachable assertion (CWE-617) and potentially enabling a crash. Documented impact specifies a partial/High-severity outcome with NETWORK access and no data confidentiality/integrity ...

CVE-2019-20396

The CVE-2019-20396 issue affects libyang up to version 1.0-r1, causing a segmentation fault in yyparse due to a malformed pattern value during lys_parse_path parsing. This vulnerability is rooted in input validation within the parser toolkit. The available connected information specifies the affe...

CVE-2019-20394

CVE-2019-20394 affects libyang. The vulnerability is a double-free in yyparse() when a type statement is used inside a notification statement, enabling denial of service and potentially code execution if untrusted YANG input is parsed. Public references in the connected documents identify the aff...

CVE-2019-20395

The CVE-2019-20395 entry concerns libyang, a C library for YANG data modeling. A stack consumption issue occurs in libyang before v1.0-r1 due to a self-referential union type containing leafrefs; applications that parse untrusted YANG input may crash. The vulnerability affects libyang’s parsing p...

CVE-2019-20393

The CVE-2019-20393 issue affects the libyang library (yyparse function) where a double-free occurs when parsing an empty description. Affected versions are libyang before v1.0-r1. Impact described as a crash or potentially code execution in applications that parse untrusted YAML input. The proble...

CVE-2019-20397

CVE-2019-20397 is a memory corruption flaw in libyang prior to v1.0-r1, caused by a double-free in yyparse() when an organization field is not terminated. This can crash the application or lead to arbitrary code execution if untrusted YANG data is parsed. Upstream details are confirmed, and affec...

CVE-2019-20392

The CVE-2019-20392 issue affects libyang prior to v1.0-r1, where resolve_feature_value() can take an invalid memory path when an if-feature is used inside a list key node and the feature is not defined. This can cause application crashes when parsing untrusted YANG input. No exploitation details ...

CVE-2019-20398

CVE-2019-20398 concerns a NULL pointer dereference in libyang in the function lys_extension_instances_free(), caused by copying unresolved extensions in lys_restr_dup() for libyang builds before v1.0-r3. Affected software may crash when parsing untrusted YANG inputs. Remediation references across...

CVE-2023-26917

CVE-2023-26917 affects libyang from v2.0.164 to v2.1.30, with a NULL pointer dereference in lys_parse_mem.c triggered via lysp_stmt_validate_value. This is documented across multiple advisories (e.g., OSSUs/USNs and vendor notices) and is associated with potential crash/DoS implications (CVSS: HI...

CVE-2023-26916

The CVE-2023-26916 issue affects libyang, specifically a NULL pointer dereference in lys_parse_mem, observed in libyang versions 2.0.164 through 2.1.30. Evidence across multiple feeds notes the vulnerability arises during YANG parsing (lys_parse_mem.c) and can lead to a crash. Several advisories ...