CVE-2023-26917: 
NixOS vulnerability analysis and mitigation

CVE-2023-26917 affects libyang versions from v2.0.164 to v2.1.30. The vulnerability was discovered and disclosed on April 11, 2023, involving a NULL pointer dereference vulnerability in the lyspstmtvalidatevalue function within the lysparse_mem.c file (NVD).

The vulnerability is characterized by a NULL pointer dereference in the lyspstmtvalidate_value function. The issue occurs when the function fails to check whether the 'val' parameter is NULL before performing operations, specifically in the 'while (*val)' operation at line 390 of the source code. This oversight can lead to a crash when attempting to access the NULL pointer. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD, Ubuntu).

The vulnerability primarily affects system availability. When exploited, it can cause the application to crash due to the NULL pointer dereference, potentially leading to a denial of service condition. The CVSS metrics indicate no impact on confidentiality or integrity, but a high impact on availability (NVD).

The vulnerability has been fixed in later versions of libyang. Users should upgrade to a version newer than 2.1.30. For Debian systems, fixed versions are available in sid and trixie distributions with version 2.1.148-0.2 (Debian Tracker).