This package is not in any development repository. This probably
means that the package
has been removed
(or has been renamed). Thus the information here is of little interest ...
the package is going to disappear unless someone takes it over and
reintroduces it.
CVE-2026-41401:
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications parsing untrusted XML data, causing process crashes or potential code execution.
1 issue left for the package maintainer to handle:
CVE-2026-44673:
(needs triaging)
libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.
CVE-2023-26916:
libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lys_parse_mem at lys_parse_mem.c.
CVE-2023-26917:
libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.
![[bug history graph]](https://qa.debian.org/data/bts/graphs/liby/libyang2.png){kind=link}