Skip to main content

Lexbor CVE-2026-29079

| EUVDEUVD-2026-12054 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-03-13 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:22 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.7.0
EUVD ID Assigned
Mar 13, 2026 - 18:00 euvd
EUVD-2026-12054
Analysis Generated
Mar 13, 2026 - 18:00 vuln.today
CVE Published
Mar 13, 2026 - 17:19 nvd
HIGH 7.5

DescriptionGitHub Advisory

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.

AnalysisAI

Denial of service in Lexbor prior to version 2.7.0 results from a type-confusion vulnerability in the HTML fragment parser that corrupts memory and causes a null pointer dereference. An unauthenticated remote attacker can exploit this by sending malformed HTML to crash applications using the vulnerable Lexbor library. No patch is currently available.

Technical ContextAI

Lexbor is a web browser engine library used for HTML/CSS parsing and DOM manipulation. The vulnerability stems from CWE-843 (Access of Resource Using Incompatible Type), where the parser incorrectly handles comments when the namespace is undefined. Specifically, it uses an 'unknown element' constructor for comments, then performs an unsafe cast that writes comment data into element fields, corrupting the qualified_name field. This corrupted pointer is later dereferenced near the zero page, causing a crash. The affected product is identified as cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:* for versions prior to 2.7.0.

RemediationAI

Upgrade Lexbor to version 2.7.0 or later, which contains the fix for this vulnerability as documented in the GitHub advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-qj22-49rc-vv5m. If immediate patching is not feasible, consider implementing input validation to filter potentially malicious HTML fragments before processing, though this is not a complete mitigation. Monitor application logs for unexpected crashes or null pointer dereferences that could indicate exploitation attempts.

Share

CVE-2026-29079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy