CVE-2026-29078
Published: 13 March 2026
Summary
CVE-2026-29078 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Lexbor Lexbor. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow in browser engine library enables remote memory corruption leading to application crashes (DoS) via malicious DOM input, directly mapping to application exploitation for endpoint DoS.
NVD Description
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that…
more
wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
Deeper analysisAI
CVE-2026-29078 is an integer underflow vulnerability (CWE-191) in the ISO-2022-JP encoder of Lexbor, an open-source web browser engine library. In versions prior to 2.7.0, the encoder fails to reset a temporary size variable between iterations, resulting in the statement ctx->buffer_used -= size using a stale size value of 3. This causes an underflow that wraps to SIZE_MAX, leading to a memcpy call with a negative length and subsequent out-of-bounds read from the stack and out-of-bounds write to the heap (CWE-787). The source data is partially controllable through the contents of the DOM tree.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can trigger the issue by supplying malicious input processed by the encoder, potentially causing memory corruption that results in denial-of-service through application crashes.
The vulnerability is fixed in Lexbor version 2.7.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3.
Details
- CWE(s)