{"id":"CVE-2019-20393","details":"A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.","modified":"2026-04-11T09:39:54.070165Z","published":"2020-01-22T22:15:10.237Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"},{"type":"ADVISORY","url":"https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"},{"type":"FIX","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1793930"},{"type":"FIX","url":"https://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed"},{"type":"EVIDENCE","url":"https://github.com/CESNET/libyang/issues/742"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesnet/libyang","events":[{"introduced":"0"},{"last_affected":"14a95280b2bd77b5fd1d9b5f8af71b15679f1a8f"},{"introduced":"0"},{"last_affected":"ebcf465b4250c869eeb727e64b0caa419ba15465"},{"introduced":"0"},{"last_affected":"4ebd79ec4fc92f7989e45532abc55ef6593b60aa"},{"introduced":"0"},{"last_affected":"7e811613b335afc8e1b2c0ee77e7b3f371bc9175"},{"introduced":"0"},{"last_affected":"ca88008d7068eaefd9cc04b18a523283dae3561e"},{"introduced":"0"},{"last_affected":"0ee330494a94ada40da59ad6037fd3138fe8ec9a"},{"introduced":"0"},{"last_affected":"5ccd6dea3eb7256dbc835507d7253eb5596c31b2"},{"introduced":"0"},{"last_affected":"054ed1fcd480dc4130d98206548c8fe1ac512356"},{"introduced":"0"},{"last_affected":"13b20f94f080cc493b3fd22604d0635585194231"},{"introduced":"0"},{"last_affected":"2ec826a984204d034f43a7ad72d835bc99974ede"},{"introduced":"0"},{"last_affected":"9e316f344e73316bf058ef88bd5ba852ad65ba25"},{"fixed":"d9feacc4a590d35dbc1af21caf9080008b4450ed"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.11-r1"},{"introduced":"0"},{"last_affected":"0.11-r2"},{"introduced":"0"},{"last_affected":"0.12-r1"},{"introduced":"0"},{"last_affected":"0.12-r2"},{"introduced":"0"},{"last_affected":"0.13-r1"},{"introduced":"0"},{"last_affected":"0.13-r2"},{"introduced":"0"},{"last_affected":"0.14-r1"},{"introduced":"0"},{"last_affected":"0.15-r1"},{"introduced":"0"},{"last_affected":"0.16-r1"},{"introduced":"0"},{"last_affected":"0.16-r2"},{"introduced":"0"},{"last_affected":"0.16-r3"}]}}],"versions":["v0.11-r1","v0.11-r2","v0.12-r1","v0.12-r2","v0.13-r1","v0.13-r2","v0.14-r1","v0.15-r1","v0.16-r1","v0.16-r2","v0.16-r3"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:39:54Z","vanir_signatures":[{"target":{"function":"yang_read_extcomplex_str","file":"src/parser_yang.c"},"signature_type":"Function","digest":{"length":2549,"function_hash":"210618447206416842963716160319291067596"},"source":"https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed","deprecated":false,"signature_version":"v1","id":"CVE-2019-20393-0b51fd0c"},{"target":{"file":"src/parser_yang.h"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["159197367693089516205569419912882508586","338106989825557444275081214165145915240","173638409708146125147860696944110058569","53588195873947443362605094523268632561"]},"source":"https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed","deprecated":false,"signature_version":"v1","id":"CVE-2019-20393-771ceaf5"},{"target":{"file":"src/parser_yang.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["21416199901454646743488100686154337882","99164107408091063006777308910482006306","61145605236541993103649237040225949367","25219585484697981976401862072666946141","211425843115769248843453539035067461254","339575617453095667235171076010640122886","120029062690870830515387605234494720776","36172509862558898669720294441233507847","254486200007475077881178437586168801239","177520086970103864665717550503336861879","194409106657883996911427762030776432816","117077981437795543605848299468409372024","80297440400200033459641880579578726293","153541918219877504581369759612042270485","271518729587833602837386109568267296786","297590879985857847552467511180086627227","177270519452510328620494519888220248824"]},"source":"https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed","deprecated":false,"signature_version":"v1","id":"CVE-2019-20393-7c066af9"},{"target":{"function":"yyparse","file":"src/parser_yang_bis.c"},"signature_type":"Function","digest":{"length":121723,"function_hash":"297619105104962865464252916456058722015"},"source":"https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed","deprecated":false,"signature_version":"v1","id":"CVE-2019-20393-897a4187"},{"target":{"file":"src/parser_yang_bis.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["281173314764415771078734596198839755998","160286089755377420471048506915642211568","175388115082871246159087214172897637780","273804716555576637974727595170238162137","310981047629080967697626232498865314043","90823686894974054152352645734798982690","28012874169947363259138203723484029924","41694348609127876001830458036253700810","131777903932017419486465995440103100648","168013029427957451649208388171256321784","186245089661852243317568101655424807515","81108806283943699757978489840608461396","50197152091423902626038935630591975267","308088478696431713122006729790779885025","28599201766766415515356910472396650691","194251369466084534053266358921769586418","48886778270000747810057481298878765273","295041330686215775529943419110018374422","7550286812935820323808551807101263791","12114679460682025133744961202188155820","69563439567826275403782157747820226829","264145785382469150700010076871629393182","48015251036073566216842964328906380190","20969775262226781481092469174613296434","161875272980297512773701091650123129992","239587576820807265019085726896510712062","270582090242205734324764746108689898697","329491352820764632893578964270107894124","89123590792079233993250112918373910657","185542756248377223930882272774750473442","143546575568490012525947902002105892405","183892370886530013127993239560636193310","192318873967208278677638109277753104145","180817541286572442755944851340801350087","263210088259807270771394852731167125662","26847781364965320247592763304101656632","97430940798891537200917969977282827827","203839397688829917857372281443131757783","185575732252900552358483226676836365434","218148538451266829825753437215346701203","213425459907171197499333283281566514602","11892478604650406129648621206888448413","104055479078570837068541309030847886051","292839487684752323339842305008817444422","337924772314129945170287766072078882562","290944425752099368339658787501825879325","239862230735436140578488231568880269421","219048122820663869899582858462045827627","260060293791655827972520123066455821443","75093356721276301056581711965015187354","294652982765899541525287073317883349072","221195174597733744918813477800015070452","103068719435928311614366960102813526850","24412773842532597515577637433450339985","138753240435025182351849187912868853524","104699215554303490721106272557452301292","73595796927291042388008768248289119025","213878865549469413887381018988286868657","246735937759765771582976692450516169314","149068710609364842013269967989769065268","331792664372799127003290740983244951507","30007146344462048416157824632232802324","657236584375837295832280113545998170","82051395226462430428823479045117612741","17883174574016127189154554461401547220","62629405015727775025619654707274040385","120656547916620015523684584115728828245","252844827007950580572148529655832974140","323601965787562601594957188307789821339","82310983095193557974985880835690465373","1817202309068896578043245509465660462","235505973840472814673301729253275616595"]},"source":"https://github.com/cesnet/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed","deprecated":false,"signature_version":"v1","id":"CVE-2019-20393-957c8d30"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20393.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}