{"id":"CVE-2019-19333","details":"In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type \"bits\". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.","modified":"2026-04-11T12:42:34.773813Z","published":"2019-12-06T16:15:10.827Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4360"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19333"},{"type":"FIX","url":"https://github.com/CESNET/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesnet/libyang","events":[{"introduced":"0"},{"last_affected":"14a95280b2bd77b5fd1d9b5f8af71b15679f1a8f"},{"introduced":"0"},{"last_affected":"ebcf465b4250c869eeb727e64b0caa419ba15465"},{"introduced":"0"},{"last_affected":"4ebd79ec4fc92f7989e45532abc55ef6593b60aa"},{"introduced":"0"},{"last_affected":"7e811613b335afc8e1b2c0ee77e7b3f371bc9175"},{"introduced":"0"},{"last_affected":"ca88008d7068eaefd9cc04b18a523283dae3561e"},{"introduced":"0"},{"last_affected":"0ee330494a94ada40da59ad6037fd3138fe8ec9a"},{"introduced":"0"},{"last_affected":"5ccd6dea3eb7256dbc835507d7253eb5596c31b2"},{"introduced":"0"},{"last_affected":"054ed1fcd480dc4130d98206548c8fe1ac512356"},{"introduced":"0"},{"last_affected":"13b20f94f080cc493b3fd22604d0635585194231"},{"introduced":"0"},{"last_affected":"2ec826a984204d034f43a7ad72d835bc99974ede"},{"introduced":"0"},{"last_affected":"9e316f344e73316bf058ef88bd5ba852ad65ba25"},{"introduced":"0"},{"last_affected":"a3e312c65573d90dd5bedf0744e473a9bbd2ece3"},{"introduced":"0"},{"last_affected":"347246611b85e05d16f54faaa5697c4b2ee4b468"},{"introduced":"0"},{"last_affected":"3defd82abbdc082b947343e9e7e78952144f39a5"},{"introduced":"0"},{"last_affected":"64248ec90179740e66416c78e0b3b914a8a07d30"},{"fixed":"f6d684ade99dd37b21babaa8a856f64faa1e2e0d"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.11-r1"},{"introduced":"0"},{"last_affected":"0.11-r2"},{"introduced":"0"},{"last_affected":"0.12-r1"},{"introduced":"0"},{"last_affected":"0.12-r2"},{"introduced":"0"},{"last_affected":"0.13-r1"},{"introduced":"0"},{"last_affected":"0.13-r2"},{"introduced":"0"},{"last_affected":"0.14-r1"},{"introduced":"0"},{"last_affected":"0.15-r1"},{"introduced":"0"},{"last_affected":"0.16-r1"},{"introduced":"0"},{"last_affected":"0.16-r2"},{"introduced":"0"},{"last_affected":"0.16-r3"},{"introduced":"0"},{"last_affected":"1.0-r1"},{"introduced":"0"},{"last_affected":"1.0-r2"},{"introduced":"0"},{"last_affected":"1.0-r3"},{"introduced":"0"},{"last_affected":"1.0-r4"}]}}],"versions":["v0.11-r1","v0.11-r2","v0.12-r1","v0.12-r2","v0.13-r1","v0.13-r2","v0.14-r1","v0.15-r1","v0.16-r1","v0.16-r2","v0.16-r3","v1.0-r1","v1.0-r2","v1.0-r3","v1.0-r4"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]}],"vanir_signatures_modified":"2026-04-11T12:42:34Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19333.json","vanir_signatures":[{"deprecated":false,"source":"https://github.com/cesnet/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d","id":"CVE-2019-19333-54c063a4","target":{"file":"src/parser.c"},"signature_type":"Line","signature_version":"v1","digest":{"line_hashes":["334471996539810398492372019661608692698","321054351878955075954225498848514426410","330559676876734502436713772992797683414","252560790461031359405142855563144916674","144772618624573536201806274884929000418","264109637968431316713501596108226264326","256436359385121855742879318235101508159","257497894976629936425229006335056081901","100741878158251156117091495233053318482","164910467799438547400572389016680860836","18498944879162834952018040102605963852","74692603639140247032407400404797642411","206905067371627550411298773987938593408","199696630025075120738538754868869500982","143999457789541275777950909101806597706","337123191113408896032731456146724870093","38506470973442490246593208062541369373","232974998945348424596024458348097929279","33927130023216444636510925346833465232","93342640063938535690871158809650766437","293607633712266074747184482139937970392","323492741436382866424156113171179369045","79069849395469332803695034368686753712","191072771502732256344378039616340216304","86287456176921863070614413732721531679","93342640063938535690871158809650766437","289803600205996715864181594020979185868","266531099063554310931482853127352657134","134765870725183274392961611215565285449","129864769303552823223846541708161654256","84349857869984214145950757285860606869","93342640063938535690871158809650766437","2691920860723853517192748457654413921","196160761933978054025555355482189607179","187142566956704064584681507762530907916","116104360919938484163183476330351032945","189158417321900088980703125751826611391","14715710603002107748409467027324862864","21452163599268014496861825430017078390","93342640063938535690871158809650766437","185031130831962799991911909667965746904","217373179414626182112457442904800786364","242718933368251040055759056691687502751","93342640063938535690871158809650766437","169472550621565699607414787057691121952","114347609636665541855332385742691498326","97633593029876905905445754462119764630","67543373166406810932547016329833398560","116801799157631809799463157479327976507","288337918528810625316678962350993551572","269327132366709281352608185703946293415","244650307724943357708315298420783370400","259820417889819695477791206026409639811","83759769623718391944955031035273066796","286537893458745778171946271135314213549","315411243895366700643419144917671348201","320543448377446559693251401697342330377","163087677883701239515719122378178306820","993505327199869251421308039898759985","76968873125642809468597428039919814379","7897699650730424187346960220384900518","86936532195464564834241141806129258475","143012183388028225374918525061846077256","314529518830465321809357797430444363126","81822149721664718623872845796634125694","65629062375420202290516003165472980808","144128200826374910777751276134626966025","59770547100959038519763387218659507729","163084928372717900405270673876217073242","258714099476411362365603515506891067978","200787646273356945741129916356165920740","119876339178894491483853178431736108600","207343411094638613303236621472701580759","91610770683500600195240348424644975375","43860170600015034303926382194242807218","53489379656777685874493989034546079117","307958280951392836544463138929309706422","86772752028097542656483648212070460914","181462016179561410838289068439881708468","286261703346845596981542084356718267946","32031408715641287946078244955786232231","128924447793007793100200597654131317005","28724722652751251309716732377454256305","211478222578490617588045526752786821451","180808194046977130665704230599333404159","50645879730626450926294245922566608010","157349886324739720143881325863232586172","189903354822162031249207651140379387196","152819423249475433864335302985625248373","110421708408951972675076998062725176943","20669784894527800834488827863373749690","123288276936653743816454918314040986396","114261504518443065273442604249227474897","107967203981463349850635056600965859686","158106926903656624197401611929532829826","177411624331497633624319115640760156496","236675276576501684116616238506458937231","310514053558478448191395762883643320879"],"threshold":0.9}},{"deprecated":false,"source":"https://github.com/cesnet/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d","id":"CVE-2019-19333-c41275ba","target":{"file":"src/parser.c","function":"lyp_parse_value"},"signature_type":"Function","signature_version":"v1","digest":{"length":15487,"function_hash":"268564139688612298568166183773794433157"}},{"deprecated":false,"source":"https://github.com/cesnet/libyang/commit/f6d684ade99dd37b21babaa8a856f64faa1e2e0d","id":"CVE-2019-19333-ebc562fa","target":{"file":"src/parser.c","function":"make_canonical"},"signature_type":"Function","signature_version":"v1","digest":{"length":3280,"function_hash":"181214448536743353973309836363174171853"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}