Cyber Resilience

CVE-2026-29078

High

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29078 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Lexbor Lexbor. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29078 is an integer underflow vulnerability (CWE-191) in the ISO-2022-JP encoder of Lexbor, an open-source web browser engine library. In versions prior to 2.7.0, the encoder fails to reset a temporary size variable between iterations, resulting in the statement ctx->buffer_used -= size using a stale size value of 3. This causes an underflow that wraps to SIZE_MAX, leading to a memcpy call with a negative length and subsequent out-of-bounds read from the stack and out-of-bounds write to the heap (CWE-787). The source data is partially controllable through the contents of the DOM tree.

The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can trigger the issue by supplying malicious input processed by the encoder, potentially causing memory corruption that results in denial-of-service through application crashes.

The vulnerability is fixed in Lexbor version 2.7.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3.

EU & UK References

Vulnerability details

Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that…

more

wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Integer underflow in browser engine library enables remote memory corruption leading to application crashes (DoS) via malicious DOM input, directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29079Same product: Lexbor Lexbor
CVE-2024-55627Shared CWE-191, CWE-787
CVE-2026-29775Shared CWE-787
CVE-2025-27598Shared CWE-787
CVE-2026-33721Shared CWE-787
CVE-2024-7695Shared CWE-787
CVE-2026-40386Shared CWE-191
CVE-2024-13168Shared CWE-787
CVE-2026-43656Shared CWE-787
CVE-2025-24139Shared CWE-787

Affected Assets

lexbor
lexbor
≤ 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely flaw remediation by upgrading to Lexbor 2.7.0, which fixes the integer underflow in the ISO-2022-JP encoder.

prevent

Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to block exploitation of the out-of-bounds stack read and heap write.

prevent

Validates DOM tree inputs processed by the encoder to reject malformed content that could trigger the stale size variable underflow.

References