DoS or arbitrary code execution via maliciously crafted LYB binary blob

Resolves: RHEL-177026 - CVE-2026-44673
2026-05-25 15:49:22 +02:00 · 2026-05-25 15:49:22 +02:00 · 3dc8851202
commit 3dc8851202
parent 7a00fe830a
2 changed files with 37 additions and 1 deletions
--- a/libyang-fix-CVE-2026-44673.patch
+++ b/libyang-fix-CVE-2026-44673.patch
@ -0,0 +1,29 @@
+diff --git a/src/parser_lyb.c b/src/parser_lyb.c
+index 788be94..5a26e43 100644
+--- a/src/parser_lyb.c
+++ b/src/parser_lyb.c
+@@ -217,6 +217,11 @@ lyb_read_string(char **str, uint8_t len_size, struct lylyb_ctx *lybctx)
+ 
+     lyb_read_number(&len, sizeof len, len_size, lybctx);
+ 
+    /* len could be potentially at UINT64_MAX meaning that len + 1 would
+     * cause malloc(0) followed by an out-of-bounds write */
+    LY_CHECK_ERR_RET(len == UINT64_MAX,
+        LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
+
+     *str = malloc((len + 1) * sizeof **str);
+     LY_CHECK_ERR_RET(!*str, LOGMEM(lybctx->ctx), LY_EMEM);
+ 
+@@ -281,6 +281,12 @@ lyb_read_term_value(const struct lysc_node_leaf *term, uint8_t **term_value, uin
+         *term_value_len = lyb_data_len;
+     }
+ 
+    /* *term_value_len + 1 can overflow uint32_t allocated_size when
+     * *term_value_len >= UINT32_MAX, causing malloc(0) followed by
+     * an out-of-bounds write (OOM / DoS) */
+    LY_CHECK_ERR_RET(*term_value_len >= UINT32_MAX,
+            LOGERR(lybctx->ctx, LY_EINVAL, "LYB value size overflow."), LY_EINVAL);
+
+     /* Allocate memory. */
+     allocated_size = *term_value_len + 1;
+     *term_value = malloc(allocated_size * sizeof **term_value);
--- a/libyang.spec
+++ b/libyang.spec
@ -12,7 +12,7 @@

 Name: libyang
 Version: 2.1.148
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: YANG data modeling language library
 Url: https://github.com/CESNET/libyang
 Source: %{url}/archive/v%{version}.tar.gz
@ -20,6 +20,9 @@ License: BSD-3-Clause

 # disable tests failing on s390x
 Patch1: disable-test_structure.patch
+# Original commit: https://github.com/CESNET/libyang/commit/48672b2
+# We have a different version, below is a minimal patch
+Patch2: libyang-fix-CVE-2026-44673.patch

 BuildRequires:  cmake
 BuildRequires:  doxygen
@ -112,6 +115,10 @@ cp -a doc/html %{buildroot}/%{_docdir}/libyang/html
 %{_docdir}/libyang

 %changelog
+* Mon May 25 2026 Michal Ruprich <mruprich@redhat.com> - 2.1.148-4
+- DoS or arbitrary code execution via maliciously crafted LYB binary blob
+- Resolves: RHEL-177026 - CVE-2026-44673
+
 * Wed Nov 05 2025 Michal Ruprich <mruprich@redhat.com> - 2.1.148-3
 - Resolves: RHEL-119430 - Move libyang-devel to CRB