Summary
A heap use-after-free write in libyang’s XML data parser can be triggered by a crafted YANG XML document with specific metadata attributes, leading to memory corruption (process crash, and potentially code execution in some deployments).
In lyd_parser_set_data_flags at src/parser_common.c:316-319, the metadata list head pointer is incorrectly updated when freeing a non-head "default" metadata entry.
Validated against: https://github.com/CESNET/libyang @ 6b5ed47 (devel)
Details and PoC
Build fuzzers:
git clone https://github.com/google/oss-fuzz.git
cd oss-fuzz
python3 infra/helper.py build_fuzzers --sanitizer address libyang
Run the PoC: python3 infra/helper.py reproduce libyang lyd_parse_mem_xml poc.bin
Expected output: ASAN reports heap-use-after-free WRITE in lyd_insert_meta at tree_data.c:1313.
We have attached a zip containing:
- Full technical details of each finding
- Reproduction steps and proof-of-concept where applicable
- Candidate patch(es) with regression tests
Impact
Any application using libyang to parse attacker-controlled (or semi-trusted) XML-encoded YANG instance data (NETCONF/RESTCONF, config import, etc.) is impacted. That can lead to denial of service issues. Depending on allocator behavior and application heap layout, memory corruption could potentially be leveraged further.
Bug discovery context
Anthropic is conducting research into the use of large language models for automated vulnerability discovery in open source software. As part of that work, Anthropic used Claude to scan a set of widely used open source projects for security issues. Anthropic then engaged Trail of Bits to independently triage, manually validate, and develop patches for the findings. Each issue in this report has been reviewed and confirmed by human security researchers at Trail of Bits.
Thank you for your work on libyang!
kevin-valerio Reporter
Summary
A heap use-after-free write in libyang’s XML data parser can be triggered by a crafted YANG XML document with specific metadata attributes, leading to memory corruption (process crash, and potentially code execution in some deployments).
In
lyd_parser_set_data_flagsatsrc/parser_common.c:316-319, the metadata list head pointer is incorrectly updated when freeing a non-head "default" metadata entry.Validated against: https://github.com/CESNET/libyang @ 6b5ed47 (devel)
Details and PoC
Build fuzzers:
git clone https://github.com/google/oss-fuzz.git cd oss-fuzz python3 infra/helper.py build_fuzzers --sanitizer address libyangRun the PoC:
python3 infra/helper.py reproduce libyang lyd_parse_mem_xml poc.binExpected output: ASAN reports heap-use-after-free WRITE in lyd_insert_meta at tree_data.c:1313.
We have attached a zip containing:
Impact
Any application using libyang to parse attacker-controlled (or semi-trusted) XML-encoded YANG instance data (NETCONF/RESTCONF, config import, etc.) is impacted. That can lead to denial of service issues. Depending on allocator behavior and application heap layout, memory corruption could potentially be leveraged further.
Bug discovery context
Anthropic is conducting research into the use of large language models for automated vulnerability discovery in open source software. As part of that work, Anthropic used Claude to scan a set of widely used open source projects for security issues. Anthropic then engaged Trail of Bits to independently triage, manually validate, and develop patches for the findings. Each issue in this report has been reviewed and confirmed by human security researchers at Trail of Bits.
Thank you for your work on libyang!