This update for libyang fixes the following issues
- CVE-2026-41401: use-after-free in `lyd_parser_set_data_flags` when processing crafted YANG XML documents with specific
metadata attributes (bsc#1266316).
- CVE-2026-44673: integer overflow in `lyb_read_string()` of `src/parser_lyb.c` leads to heap buffer overflow when
parsing a maliciously crafted LYB binary blob (bsc#1265330).
Patch instructions:
To install this openSUSE security update use the suse recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Leap 16.0
zypper in -t patch openSUSE-Leap-16.0-978=1
- openSUSE Leap 16.0:
libyang-devel-2.1.148-160000.4.1
libyang-doc-2.1.148-160000.4.1
libyang2-2.1.148-160000.4.1
yang-tools-2.1.148-160000.4.1
* bsc#1265330
* bsc#1266316
References:
* https://www.suse.com/security/cve/CVE-2026-41401.html
* https://www.suse.com/security/cve/CVE-2026-44673.html
Get the latest Linux and open source security news straight to your inbox.