Description
Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.
Published: 2026-03-13
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a type‑confusion bug in Lexbor’s HTML fragment parser. When the namespace (ns) value is UNDEF, the parser creates a comment element via the “unknown element” constructor. An unsafe cast writes the comment data into the element’s fields, corrupting the qualified_name field. The corrupted value is later dereferenced as a pointer near the zero page, resulting in a memory corruption that can lead to a crash or potentially allow execution of arbitrary code. This weakness is identified by CWE‑843.

Affected Systems

The flaw exists in all Lexbor releases prior to 2.7.0. Vendor product: lexbor:lexbor identified by the CPE cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:. The affected versions are any version before 2.7.0; no narrower range is supplied.

Risk and Exploitability

The CVSS score of 8.2 indicates a high impact, while the EPSS score of less than 1% suggests the vulnerability is currently low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires an attacker to supply specially crafted HTML fragments that trigger the parser; thus, it may be exploitable in both remote contexts (e.g., web applications using Lexbor) and local contexts (e.g., client‑side rendering) depending on how the library is integrated. Because the defect corrupts memory, it can quickly lead to a denial‑of‑service or, if the corruption is leveraged, to remote code execution.

Generated by OpenCVE AI on March 18, 2026 at 21:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Lexbor to version 2.7.0 or later.
  • Verify that the updated library is in use and that no legacy code paths still invoke the old parser.
  • If an update is not immediately possible, isolate the usage of Lexbor and scan incoming HTML to prevent the crafting of input that can trigger the parser.
  • Monitor security advisories from Lexbor for any additional patches.

Generated by OpenCVE AI on March 18, 2026 at 21:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lexbor
Lexbor lexbor
Vendors & Products Lexbor
Lexbor lexbor

Fri, 13 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Description Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.
Title Type Confusion in Lexbor Fragment Parser
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Lexbor Lexbor
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-16T17:05:28.190Z

Reserved: 2026-03-03T20:51:43.483Z

Link: CVE-2026-29079

cve-icon Vulnrichment

Updated: 2026-03-16T17:05:24.686Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:54:32.747

Modified: 2026-03-18T20:20:53.060

Link: CVE-2026-29079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:39:41Z

Weaknesses