CVE-2026-41401
Published: 26 May 2026
Summary
CVE-2026-41401 is a medium-severity Use After Free (CWE-416) vulnerability in Anthropic (inferred from references). Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Use-after-free exploits that achieve arbitrary code execution are blocked or significantly hardened by non-executable pages and ASLR.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in XML/YANG parser directly enables remote code execution or DoS via crafted untrusted input to public-facing applications.
NVD Description
libyang before 5.2.6 contains a heap use-after-free write vulnerability in lyd_parser_set_data_flags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata attributes to applications…
more
parsing untrusted XML data, causing process crashes or potential code execution.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
Affected Products
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31832