What is GHSA-v7jp-vmx6-5429?

GHSA-v7jp-vmx6-5429 is a security advisory published by GitHub Security Advisories with High severity. libyang before 5.2.6 contains a heap use-after-free write vulnerability in...

Which CVE IDs does GHSA-v7jp-vmx6-5429 cover?

GHSA-v7jp-vmx6-5429 covers the following CVE IDs: CVE-2026-41401. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-v7jp-vmx6-5429?

GHSA-v7jp-vmx6-5429 has a CVSS v3 base score of 6.5, published by GitHub Security Advisories.

GHSA-v7jp-vmx6-5429HighCVSS 6.5

libyang before 5.2.6 contains a heap use-after-free write vulnerability in...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-41401 →

📋 Description

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.

🔗 References (6)

https://github.com/CESNET/libyang/security/advisories/GHSA-9f49-8x56-jmjc
https://nvd.nist.gov/vuln/detail/CVE-2026-41401
https://github.com/CESNET/libyang/commit/6b5ed47ee674fbe86b31bbebc4ff26889aeff38c
https://red.anthropic.com/2026/cvd/findings/ANT-2026-TZQ1KH7E
https://www.vulncheck.com/advisories/libyang-heap-use-after-free-write-in-xml-metadata-parsing
https://github.com/advisories/GHSA-v7jp-vmx6-5429