CVE-2026-29079

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-13 19:54

Updated : 2026-03-18 20:20

NVD link : CVE-2026-29079

Mitre link : CVE-2026-29079

CVE.ORG link : CVE-2026-29079

JSON object : View

Products Affected

lexbor

lexbor

CWE

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

{"id": "CVE-2026-29079", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-13T19:54:32.747", "references": [{"url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "Lexbor is a web browser engine library. Prior to 2.7.0, a type\u2011confusion vulnerability exists in Lexbor\u2019s HTML fragment parser. When ns = UNDEF, a comment is created using the \u201cunknown element\u201d constructor. The comment\u2019s data are written into the element\u2019s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0."}, {"lang": "es", "value": "Lexbor es una biblioteca de motor de navegador web. Antes de la versi\u00f3n 2.7.0, existe una vulnerabilidad de confusi\u00f3n de tipos en el analizador de fragmentos HTML de Lexbor. Cuando ns = UNDEF, se crea un comentario utilizando el constructor de 'elemento desconocido'. Los datos del comentario se escriben en los campos del elemento a trav\u00e9s de una conversi\u00f3n insegura, corrompiendo el campo qualified_name. Ese valor corrupto se utiliza posteriormente como puntero y se desreferencia cerca de la p\u00e1gina cero. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 2.7.0."}], "lastModified": "2026-03-18T20:20:53.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "431D7C04-4D6F-4F52-8EAA-60DD304831BD", "versionEndExcluding": "2.7.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}