UBUNTU-CVE-2026-29078

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-29078

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-29078.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-29078

Upstream

CVE-2026-29078

Published

2026-03-13T19:54:00Z

Modified

2026-05-20T16:24:54.591271091Z

Severity

8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Lexbor is a web browser engine library. Prior to 2.7.0, the ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size variable between iterations. The statement ctx->bufferused -= size with a stale size = 3 causes an integer underflow that wraps to SIZEMAX. Afterwards, memcpy is called with a negative length, leading to an out‑of‑bounds read from the stack and an out‑of‑bounds write to the heap. The source data is partially controllable via the contents of the DOM tree. This vulnerability is fixed in 2.7.0.

References

Affected packages

Ubuntu:26.04:LTS / lexbor

Package

Name: lexbor
Purl: pkg:deb/ubuntu/lexbor?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.6.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liblexbor2",
            "binary_version": "2.6.0-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-29078.json"