Source: libyang Version: 3.13.6-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for libyang. CVE-2026-44673[0]: | libyang is a YANG data modeling language library. Prior to SO | 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer | overflow that results in a heap buffer overflow when parsing a | maliciously crafted LYB binary blob. An attacker who can supply LYB | data to any libyang consumer (NETCONF server, sysrepo, etc.) can | trigger a crash or potential heap corruption. This vulnerability is | fixed in SO 5.2.15. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-44673 https://www.cve.org/CVERecord?id=CVE-2026-44673 [1] https://github.com/CESNET/libyang/security/advisories/GHSA-vw2p-pq79-92xh Please adjust the affected versions in the BTS as needed. Regards, Salvatore
