libyang Heap Use-After-Free Write Vulnerability in XML Metadata Parsing

A heap use-after-free write vulnerability has been identified in libyang versions prior to 5.2.6. The issue arises in the function lyd_parser_set_data_flags, where the metadata list head pointer is improperly updated when freeing non-head default metadata entries. This vulnerability can be exploited by submitting crafted YANG XML documents with specific metadata attributes to applications that parse untrusted XML data. The exploitation of this vulnerability can lead to process crashes or potentially allow for code execution, depending on the application's heap management.

Impact

Exploitation of this vulnerability causes memory corruption, which can lead to a process crash. In some cases, this memory corruption could be leveraged for code execution, depending on the application's heap layout and allocator behavior.

Reproduction

The vulnerability can be reproduced by using a crafted YANG XML document that includes specific metadata attributes designed to exploit the improper handling of default metadata entries. This can be done by parsing the document with libyang's XML data parser, which will trigger the use-after-free condition. The exploitation can be verified using AddressSanitizer, which will report the heap-use-after-free write error.

Remediation

Users are advised to update libyang to version 5.2.6 or later, where this vulnerability has been patched.