CVE-2026-29078
Received Received - Intake
Integer Underflow and Out-of-Bounds Write in Lexbor ISO-2022-JP Encoder

Publication date: 2026-03-13

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29078
EUVD
EUVD-2026-12051
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lexbor lexbor to 2.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29078 is an integer underflow vulnerability in the ISO-2022-JP encoder component of the Lexbor web browser engine library, affecting versions prior to 2.7.0.

The vulnerability occurs because the encoder fails to reset a temporary size variable between iterations. This causes the statement ctx->buffer_used -= size to execute with a stale size value of 3, resulting in an integer underflow that wraps around to SIZE_MAX.

As a result, a subsequent memcpy call uses a negative length parameter, leading to an out-of-bounds read from the stack and an out-of-bounds write to the heap.

The source data influencing this vulnerability is partially controllable via the contents of the DOM tree.

Impact Analysis

This vulnerability can lead to memory corruption due to out-of-bounds read and write operations.

An attacker can exploit this flaw remotely without requiring any privileges or user interaction.

The primary impact is a high severity risk of denial of service, causing the affected application or system to crash or behave unpredictably.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade the Lexbor library to version 2.7.0 or later, where the issue has been fixed.

This update addresses the integer underflow and out-of-bounds memory access caused by the ISO-2022-JP encoder failing to reset a temporary size variable.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart