{"id":"CVE-2019-19334","details":"In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type \"identityref\". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.","modified":"2026-03-14T04:43:06.123122Z","published":"2019-12-06T16:15:10.920Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:4360"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334"},{"type":"FIX","url":"https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesnet/libyang","events":[{"introduced":"0"},{"last_affected":"14a95280b2bd77b5fd1d9b5f8af71b15679f1a8f"},{"introduced":"0"},{"last_affected":"ebcf465b4250c869eeb727e64b0caa419ba15465"},{"introduced":"0"},{"last_affected":"4ebd79ec4fc92f7989e45532abc55ef6593b60aa"},{"introduced":"0"},{"last_affected":"7e811613b335afc8e1b2c0ee77e7b3f371bc9175"},{"introduced":"0"},{"last_affected":"ca88008d7068eaefd9cc04b18a523283dae3561e"},{"introduced":"0"},{"last_affected":"0ee330494a94ada40da59ad6037fd3138fe8ec9a"},{"introduced":"0"},{"last_affected":"5ccd6dea3eb7256dbc835507d7253eb5596c31b2"},{"introduced":"0"},{"last_affected":"054ed1fcd480dc4130d98206548c8fe1ac512356"},{"introduced":"0"},{"last_affected":"13b20f94f080cc493b3fd22604d0635585194231"},{"introduced":"0"},{"last_affected":"2ec826a984204d034f43a7ad72d835bc99974ede"},{"introduced":"0"},{"last_affected":"9e316f344e73316bf058ef88bd5ba852ad65ba25"},{"introduced":"0"},{"last_affected":"a3e312c65573d90dd5bedf0744e473a9bbd2ece3"},{"introduced":"0"},{"last_affected":"347246611b85e05d16f54faaa5697c4b2ee4b468"},{"introduced":"0"},{"last_affected":"3defd82abbdc082b947343e9e7e78952144f39a5"},{"introduced":"0"},{"last_affected":"64248ec90179740e66416c78e0b3b914a8a07d30"},{"fixed":"6980afae2ff9fcd6d67508b0a3f694d75fd059d6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.11-r1"},{"introduced":"0"},{"last_affected":"0.11-r2"},{"introduced":"0"},{"last_affected":"0.12-r1"},{"introduced":"0"},{"last_affected":"0.12-r2"},{"introduced":"0"},{"last_affected":"0.13-r1"},{"introduced":"0"},{"last_affected":"0.13-r2"},{"introduced":"0"},{"last_affected":"0.14-r1"},{"introduced":"0"},{"last_affected":"0.15-r1"},{"introduced":"0"},{"last_affected":"0.16-r1"},{"introduced":"0"},{"last_affected":"0.16-r2"},{"introduced":"0"},{"last_affected":"0.16-r3"},{"introduced":"0"},{"last_affected":"1.0-r1"},{"introduced":"0"},{"last_affected":"1.0-r2"},{"introduced":"0"},{"last_affected":"1.0-r3"},{"introduced":"0"},{"last_affected":"1.0-r4"}]}}],"versions":["v0.11-r1","v0.11-r2","v0.12-r1","v0.12-r2","v0.13-r1","v0.13-r2","v0.14-r1","v0.15-r1","v0.16-r1","v0.16-r2","v0.16-r3","v1.0-r1","v1.0-r2","v1.0-r3","v1.0-r4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-19334.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"31"}]}],"vanir_signatures":[{"signature_version":"v1","deprecated":false,"id":"CVE-2019-19334-0fc85d57","digest":{"line_hashes":["292995609282841363669975935046566204682","149517033522983099106477072070701937564","297297297624460440254951196547675551567","72996930533404138982397399557811059557","274334248161745766359455477880545863750","199060229445835364465972116034786537046"],"threshold":0.9},"target":{"file":"src/parser.c"},"source":"https://github.com/cesnet/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6","signature_type":"Line"},{"signature_version":"v1","deprecated":false,"id":"CVE-2019-19334-8e9f3d59","digest":{"length":3550,"function_hash":"264754062392839519042860666898880122305"},"target":{"function":"make_canonical","file":"src/parser.c"},"source":"https://github.com/cesnet/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6","signature_type":"Function"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}