CVE-2026-29078 — HIGH (7.5)

Vulnerability Description

Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lexbor	Lexbor	< 2.7.0

Related Weaknesses (CWE)

CWE-191 CWE-787

References

https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3Vendor Advisory

FAQ

What is CVE-2026-29078?

CVE-2026-29078 is a vulnerability with a CVSS score of 7.5 (HIGH). Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a s...

How severe is CVE-2026-29078?

CVE-2026-29078 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-29078?

Check the references section above for vendor advisories and patch information. Affected products include: Lexbor Lexbor.