CVE-2026-29078
Published: 13 March 2026
Summary
CVE-2026-29078 is a high-severity Wrap or Wraparound (CWE-191) vulnerability in Lexbor Lexbor. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29078 is an integer underflow vulnerability (CWE-191) in the ISO-2022-JP encoder of Lexbor, an open-source web browser engine library. In versions prior to 2.7.0, the encoder fails to reset a temporary size variable between iterations, resulting in the statement ctx->buffer_used -= size using a stale size value of 3. This causes an underflow that wraps to SIZE_MAX, leading to a memcpy call with a negative length and subsequent out-of-bounds read from the stack and out-of-bounds write to the heap (CWE-787). The source data is partially controllable through the contents of the DOM tree.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote attackers can trigger the issue by supplying malicious input processed by the encoder, potentially causing memory corruption that results in denial-of-service through application crashes.
The vulnerability is fixed in Lexbor version 2.7.0. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12051
Vulnerability details
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that…
more
wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Integer underflow in browser engine library enables remote memory corruption leading to application crashes (DoS) via malicious DOM input, directly mapping to application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely flaw remediation by upgrading to Lexbor 2.7.0, which fixes the integer underflow in the ISO-2022-JP encoder.
Implements memory protection mechanisms such as stack canaries, ASLR, and DEP to block exploitation of the out-of-bounds stack read and heap write.
Validates DOM tree inputs processed by the encoder to reject malformed content that could trigger the stale size variable underflow.