Is CVE-2026-29078 actively exploited?

CVE-2026-29078 has no public evidence of in-the-wild exploitation as of 2026-03-18.

What is the CVSS score for CVE-2026-29078?

CVE-2026-29078 has a CVSS score of 8.2 (HIGH severity). Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

How do I patch CVE-2026-29078?

Patch guidance is available from lexbor security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-29078.

Fix CVE-2026-29078 - HIGH lexbor lexbor

Description

Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->buffer_used -= size with a stale size = 3 causes an integer underflow that wraps to SIZE_MAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.

CVSS Metrics

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector: network
Complexity: low
Privileges: none
User Action: none
Confidentiality: undefined
Integrity: undefined
Availability: undefined
Weaknesses: CWE-191 CWE-787 · Out-of-bounds Write

Metadata

Primary Vendor: LEXBOR
Published: 3/13/2026
Last Modified: 3/18/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

lexbor : lexbor

Remediation Guidance

Executive Summary

Cite this page

CVE-2026-29078. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-29078

View on NIST NVD

CVE-2026-29078 vulnerability