CVE-2023-26917 — NULL Pointer Dereference in Libyang

CWE-476 — NULL Pointer Dereference7 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 46.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cesnet Libyang Debian Libyang Debian Libyang2 +3 more

Timeline

PublishedApr 11

Latest updateSep 16

Description

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶debiandebian/libyang< libyang 3.4.2+dfsg-2 (forky)

▶debiandebian/libyang2< libyang 3.4.2+dfsg-2 (forky)

▶Debiancesnet/libyang< 3.4.2+dfsg-2+1

▶NVDcesnet/libyang2.0.164 — 2.1.30

▶msrcmsrc/cbl2_libyang_2.1.55-1_on_cbl_mariner_2.0

🔴Vulnerability Details

GHSA

GHSA-8fpx-68qp-g9qc: libyang from v2↗2023-04-11

▶

OSV

CVE-2023-26917: libyang from v2↗2023-04-11

▶

📋Vendor Advisories

Ubuntu

libyang vulnerabilities↗2025-09-16

▶

Microsoft

libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer dereference via the function lysp_stmt_validate_value at lys_parse_mem.c.↗2023-04-11

▶

Red Hat

libyang: NULL pointer dereference via lysp_stmt_validate_value at lys_parse_mem.c↗2023-04-11

▶

Debian

CVE-2023-26917: libyang - libyang from v2.0.164 to v2.1.30 was discovered to contain a NULL pointer derefe...↗2023

▶