Description
Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
Published: 2026-03-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch
AI Analysis

Impact

An integer underflow occurs in the ISO‑2022‑JP encoder of Lexbor when the temporary size variable is not reset between iterations. This causes the subtraction ctx->buffer_used \-\= size to wrap to SIZE_MAX. Subsequent memcpy is called with a negative (underflowed) length, resulting in an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data for the bug is partially controllable via the DOM tree, so an attacker can influence the data that triggers the encoder. The resulting memory corruption could lead to disclosure of sensitive information or execution of arbitrary code in the context where Lexbor runs.

Affected Systems

Lexbor web browser engine library (cpe:2.3:a:lexbor:lexbor). All releases prior to version 2.7.0 are affected. No further version details are provided.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity. EPSS is reported as less than 1%, implying a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through crafted DOM content that activates the ISO‑2022‑JP encoder; this inference is based on the description that the source data is controllable via the DOM.

Generated by OpenCVE AI on March 18, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Lexbor to version 2.7.0 or later.

Generated by OpenCVE AI on March 18, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lexbor
Lexbor lexbor
Vendors & Products Lexbor
Lexbor lexbor

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.
Title Integer Underflow in Lexbor ISO‑2022‑JP Encoder
Weaknesses CWE-191
CWE-787
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lexbor Lexbor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:05:52.178Z

Reserved: 2026-03-03T20:51:43.483Z

Link: CVE-2026-29078

cve-icon Vulnrichment

Updated: 2026-03-16T17:05:48.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:32.550

Modified: 2026-03-18T20:28:10.583

Link: CVE-2026-29078

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:42Z

Weaknesses