Cyber Resilience

CVE-2026-44673

High

Published: 14 May 2026

Published
14 May 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 21.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44673 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a heap buffer overflow when parsing a maliciously crafted LYB binary blob. An attacker who can supply LYB…

more

data to any libyang consumer (NETCONF server, sysrepo, etc.) can trigger a crash or potential heap corruption. This vulnerability is fixed in SO 5.2.15.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Integer overflow leading to heap buffer overflow in libyang parser enables remote exploitation of public-facing NETCONF/sysrepo servers via malicious LYB input.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30404Shared CWE-190
CVE-2025-53518Shared CWE-190
CVE-2024-55656Shared CWE-190
CVE-2024-11347Shared CWE-190
CVE-2026-31649Shared CWE-190
CVE-2025-14308Shared CWE-190
CVE-2026-41416Shared CWE-190
CVE-2026-24830Shared CWE-190
CVE-2026-5121Shared CWE-190
CVE-2026-25208Shared CWE-190

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References