Cyber Posture

CVE-2026-29079

High

Published: 13 March 2026

Published
13 March 2026
Modified
18 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29079 is a high-severity Type Confusion (CWE-843) vulnerability in Lexbor Lexbor. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Type confusion in HTML parser enables remote exploitation causing application crash/DoS (null dereference), directly matching Application or System Exploitation under Endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s…

more

fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.

Deeper analysisAI

CVE-2026-29079 is a type-confusion vulnerability in Lexbor, a web browser engine library. In versions prior to 2.7.0, the HTML fragment parser mishandles cases where the namespace (ns) is UNDEF, creating a comment node using the "unknown element" constructor. This leads to an unsafe cast that writes the comment's data into the element's fields, corrupting the qualified_name field. The corrupted value is subsequently used as a pointer and dereferenced near the zero page, classified under CWE-843 (Type Confusion).

Remote attackers can exploit this vulnerability over the network with low complexity and no privileges or user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By supplying a specially crafted HTML fragment, an attacker triggers the type confusion, resulting in a denial-of-service condition through application crash due to the null pointer dereference near the zero page.

The vulnerability is fixed in Lexbor version 2.7.0. Security practitioners should update to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8.

Details

CWE(s)
CWE-843

Affected Products

lexbor
lexbor
≤ 2.7.0

CVEs Like This One

CVE-2026-29078Same product: Lexbor Lexbor
CVE-2025-24129Shared CWE-843
CVE-2026-31502Shared CWE-843
CVE-2026-21505Shared CWE-843
CVE-2026-25537Shared CWE-843
CVE-2026-5865Shared CWE-843
CVE-2026-4702Shared CWE-843
CVE-2025-21342Shared CWE-843
CVE-2025-53144Shared CWE-843
CVE-2025-10585Shared CWE-843

References