CVE-2026-44673
HIGHCVSS v3.1: 7.5 · EPSS: 0.0027 (19.0 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.5 v3.1 · NVD
- EPSS
- 0.0027 (19.0 percentile) · FIRST.org
- CISA KEV
- No
- Type
- Integer Overflow · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Published
- 2026-05-14 · Modified: 2026-06-30
- References
- Jump to references (7)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Vendor advisory https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh
- Distro https://access.redhat.com/errata/RHSA-2026:24545
- Distro https://access.redhat.com/errata/RHSA-2026:24758
- Distro https://access.redhat.com/errata/RHSA-2026:25051
- Distro https://access.redhat.com/security/cve/CVE-2026-44673
- Distro https://bugzilla.redhat.com/show_bug.cgi?id=2477617
- Distro https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-44673.json