Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.
AnalysisAI
Denial of service in Lexbor prior to version 2.7.0 results from a type-confusion vulnerability in the HTML fragment parser that corrupts memory and causes a null pointer dereference. An unauthenticated remote attacker can exploit this by sending malformed HTML to crash applications using the vulnerable Lexbor library. No patch is currently available.
Technical ContextAI
Lexbor is a web browser engine library used for HTML/CSS parsing and DOM manipulation. The vulnerability stems from CWE-843 (Access of Resource Using Incompatible Type), where the parser incorrectly handles comments when the namespace is undefined. Specifically, it uses an 'unknown element' constructor for comments, then performs an unsafe cast that writes comment data into element fields, corrupting the qualified_name field. This corrupted pointer is later dereferenced near the zero page, causing a crash. The affected product is identified as cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:* for versions prior to 2.7.0.
RemediationAI
Upgrade Lexbor to version 2.7.0 or later, which contains the fix for this vulnerability as documented in the GitHub advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-qj22-49rc-vv5m. If immediate patching is not feasible, consider implementing input validation to filter potentially malicious HTML fragments before processing, though this is not a complete mitigation. Monitor application logs for unexpected crashes or null pointer dereferences that could indicate exploitation attempts.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12054