Login Sign Up

CVE-2021-28904

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in libyang's ext_get_plugin() function allows a NULL pointer dereference when the revision parameter is NULL, causing a crash. It affects systems using libyang v1.0.225 and earlier for YANG data modeling. The crash can lead to denial of service for applications relying on this library.

💻 Affected Systems

Products:
  • libyang
Versions: v1.0.225 and earlier
Operating Systems: All platforms running libyang
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where ext_get_plugin() is called with NULL revision parameter. Applications using libyang for YANG data modeling are vulnerable.

📦 What is this software?

Libyang by Cesnet

View all CVEs affecting Libyang →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application crash leading to denial of service for systems using libyang, potentially affecting network management systems, routers, or other infrastructure components.

🟠

Likely Case

Application instability or crashes when processing malformed YANG data with NULL revision values, causing service interruptions.

🟢

If Mitigated

Minimal impact if proper input validation is implemented at the application layer or if the vulnerable function isn't called with NULL parameters.

🌐 Internet-Facing: MEDIUM - Applications exposed to untrusted YANG data inputs could be crashed remotely, but requires specific conditions.
🏢 Internal Only: MEDIUM - Internal systems processing YANG data from untrusted sources could experience service disruptions.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires ability to trigger ext_get_plugin() with NULL revision parameter, which depends on application usage patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.226 and later

Vendor Advisory: https://github.com/CESNET/libyang/issues/1451

Restart Required: Yes

Instructions:

1. Update libyang to v1.0.226 or later. 2. Recompile applications using libyang. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation wrapper

all

Add NULL check before calling ext_get_plugin() in application code

// C code example: if (revision != NULL) ext_get_plugin(...);

🧯 If You Can't Patch

  • Implement application-level input validation to prevent NULL revision parameters
  • Isolate systems using vulnerable libyang versions from untrusted data sources

🔍 How to Verify

Check if Vulnerable:

Check libyang version: yang --version or check package manager

Check Version:

yang --version 2>/dev/null || dpkg -l | grep libyang || rpm -qa | grep libyang

Verify Fix Applied:

Verify version is v1.0.226 or later and test with NULL revision inputs

📡 Detection & Monitoring

Log Indicators:

  • Application crashes with segmentation faults
  • Core dumps from libyang processes
  • Error logs mentioning ext_get_plugin

Network Indicators:

  • Unusual YANG data submissions to network management interfaces

SIEM Query:

process:name="yang" AND event:type="crash" OR error:"segmentation fault"

📊 Metadata

CVE ID: CVE-2021-28904
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-252
Published: May 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28904, you might also want to check these:

CVE-1999-0199 9.8

This CVE describes a documentation issue in glibc's tdelete function where the return value behavior...

Same vulnerability type (CWE-252)
CVE-2025-66565 9.8

A critical vulnerability in Fiber Utils library versions 2.0.0-rc.3 and below causes predictable UUI...

Same vulnerability type (CWE-252)
CVE-2021-26955 9.8

This vulnerability in the xcb Rust crate allows attackers to trigger undefined behavior by exploitin...

Same vulnerability type (CWE-252)