CVE-2026-41401
Published: 26 May 2026
Summary
CVE-2026-41401 is a high-severity Use After Free (CWE-416) vulnerability in Anthropic (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31832
Vulnerability details
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications…
more
parsing untrusted XML data, causing process crashes or potential code execution.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in XML/YANG parser directly enables remote code execution or DoS via crafted untrusted input to public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
- V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
- V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416