CVE-2026-29079
Type Confusion in Lexbor HTML Parser Causes Memory Corruption
Publication date: 2026-03-13
Last updated on: 2026-03-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lexbor | lexbor | to 2.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-843 | The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-29079 is a high-severity type confusion vulnerability in the Lexbor HTML fragment parser affecting version 2.6.0 and earlier. The flaw occurs when the namespace (ns) is set to UNDEF, causing the parser to create a comment node using an "unknown element" constructor. This results in the comment\'s data being written into the element\'s fields through an unsafe cast, which corrupts the qualified_name field. The corrupted qualified_name is then used as a pointer and dereferenced near the zero page, leading to memory corruption.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified under CWE-843 (Access of Resource Using Incompatible Type, or Type Confusion), where a resource is allocated or initialized with one type but accessed later using an incompatible type.'}] [1]
How can this vulnerability impact me? :
The primary impact of this vulnerability is on system availability. Exploiting this flaw can cause memory corruption that leads to denial of service (DoS).
The vulnerability requires no privileges or user interaction and can be exploited remotely over a network with low attack complexity.
Confidentiality and integrity are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a type confusion flaw in the Lexbor HTML fragment parser affecting versions prior to 2.7.0. Detection involves identifying if your system is running a vulnerable version of Lexbor (e.g., 2.6.0).
Since the vulnerability can be exploited remotely without privileges or user interaction, monitoring network traffic for unusual crashes or denial of service symptoms in applications using Lexbor may help indicate exploitation attempts.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Lexbor to version 2.7.0 or later, where this vulnerability has been fixed.
Since the vulnerability allows remote exploitation without privileges or user interaction, applying the patch promptly is critical to prevent denial of service attacks.