CVE-2026-29079
Received Received - Intake
Type Confusion in Lexbor HTML Parser Causes Memory Corruption

Publication date: 2026-03-13

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-18
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29079
EUVD
EUVD-2026-12054
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lexbor lexbor to 2.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29079 is a high-severity type confusion vulnerability in the Lexbor HTML fragment parser affecting version 2.6.0 and earlier. The flaw occurs when the namespace (ns) is set to UNDEF, causing the parser to create a comment node using an "unknown element" constructor. This results in the comment\'s data being written into the element\'s fields through an unsafe cast, which corrupts the qualified_name field. The corrupted qualified_name is then used as a pointer and dereferenced near the zero page, leading to memory corruption.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-843 (Access of Resource Using Incompatible Type, or Type Confusion), where a resource is allocated or initialized with one type but accessed later using an incompatible type.'}] [1]

Impact Analysis

The primary impact of this vulnerability is on system availability. Exploiting this flaw can cause memory corruption that leads to denial of service (DoS).

The vulnerability requires no privileges or user interaction and can be exploited remotely over a network with low attack complexity.

Confidentiality and integrity are not affected by this vulnerability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability is a type confusion flaw in the Lexbor HTML fragment parser affecting versions prior to 2.7.0. Detection involves identifying if your system is running a vulnerable version of Lexbor (e.g., 2.6.0).

Since the vulnerability can be exploited remotely without privileges or user interaction, monitoring network traffic for unusual crashes or denial of service symptoms in applications using Lexbor may help indicate exploitation attempts.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade Lexbor to version 2.7.0 or later, where this vulnerability has been fixed.

Since the vulnerability allows remote exploitation without privileges or user interaction, applying the patch promptly is critical to prevent denial of service attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart