{"id":"CVE-2019-20395","details":"A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.","modified":"2026-04-11T09:39:53.511178Z","published":"2020-01-22T22:15:10.423Z","references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html"},{"type":"ADVISORY","url":"https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1"},{"type":"ADVISORY","url":"https://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1793924"},{"type":"EVIDENCE","url":"https://github.com/CESNET/libyang/issues/724"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cesnet/libyang","events":[{"introduced":"0"},{"last_affected":"14a95280b2bd77b5fd1d9b5f8af71b15679f1a8f"},{"introduced":"0"},{"last_affected":"ebcf465b4250c869eeb727e64b0caa419ba15465"},{"introduced":"0"},{"last_affected":"4ebd79ec4fc92f7989e45532abc55ef6593b60aa"},{"introduced":"0"},{"last_affected":"7e811613b335afc8e1b2c0ee77e7b3f371bc9175"},{"introduced":"0"},{"last_affected":"ca88008d7068eaefd9cc04b18a523283dae3561e"},{"introduced":"0"},{"last_affected":"0ee330494a94ada40da59ad6037fd3138fe8ec9a"},{"introduced":"0"},{"last_affected":"5ccd6dea3eb7256dbc835507d7253eb5596c31b2"},{"introduced":"0"},{"last_affected":"054ed1fcd480dc4130d98206548c8fe1ac512356"},{"introduced":"0"},{"last_affected":"13b20f94f080cc493b3fd22604d0635585194231"},{"introduced":"0"},{"last_affected":"2ec826a984204d034f43a7ad72d835bc99974ede"},{"introduced":"0"},{"last_affected":"9e316f344e73316bf058ef88bd5ba852ad65ba25"},{"fixed":"4e610ccd87a2ba9413819777d508f71163fcc237"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.11-r1"},{"introduced":"0"},{"last_affected":"0.11-r2"},{"introduced":"0"},{"last_affected":"0.12-r1"},{"introduced":"0"},{"last_affected":"0.12-r2"},{"introduced":"0"},{"last_affected":"0.13-r1"},{"introduced":"0"},{"last_affected":"0.13-r2"},{"introduced":"0"},{"last_affected":"0.14-r1"},{"introduced":"0"},{"last_affected":"0.15-r1"},{"introduced":"0"},{"last_affected":"0.16-r1"},{"introduced":"0"},{"last_affected":"0.16-r2"},{"introduced":"0"},{"last_affected":"0.16-r3"}]}}],"versions":["v0.11-r1","v0.11-r2","v0.12-r1","v0.12-r2","v0.13-r1","v0.13-r2","v0.14-r1","v0.15-r1","v0.16-r1","v0.16-r2","v0.16-r3"],"database_specific":{"vanir_signatures_modified":"2026-04-11T09:39:53Z","vanir_signatures":[{"target":{"file":"src/resolve.c"},"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["3709349080758321315407667873054799407","40654331277087705153599236626700139120","218179774092547475255011025591562155373","26945906380788539331119058460512143650","264360412021372370516957297717262205066","284379208038719699281704151082864052738","171523464213288179775304606129955718185","173219762027759162992708704487438489215","169767442580532088647275499892906396249","163540545431702451184062262278825169497","230432405834600232943716359155561282208","210958065997923273270503473910467040005","52705719169573697649606145238168379853","74978519002525096908372406906754533918","338968714568132339179493525815625457068","110431218070066215195198435093039810576","168996680281455421702825745518376836742","237265185966647641462833730081134853855","130432884066073796841987305543045007877","41856024564754209253740145975891080938","187918657215396913159733145370849044587","235627434437076040235478635208155584990","156231516063688709759703948455246765715","281878610022157967428454344263993798914","37651723104265209483492304430164809389","17285245695473915830116170919378033615","68990558883184452840172507034795811974","91835791136993315471851169704730021515","179910586640509158592462293263687892249","32072546804617593968369651922607475827","212636670241501265826527964257535120951","169169816915948622447376095793041624614","203215452072960001537708029648505410179","167325683983032162877898557235445539388","50591885780544046276219277659510187527","334471996539810398492372019661608692698"]},"deprecated":false,"id":"CVE-2019-20395-1d76204d","source":"https://github.com/cesnet/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237","signature_version":"v1"},{"target":{"file":"src/resolve.c","function":"resolve_superior_type"},"signature_type":"Function","digest":{"function_hash":"35331683292158375526001179803226955979","length":2365},"deprecated":false,"id":"CVE-2019-20395-59c63e27","source":"https://github.com/cesnet/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-20395.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}