Source: lexbor Version: 2.6.0-2 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for lexbor. CVE-2026-29078[0]: | Lexbor is a web browser engine library. Prior to 2.7.0, the | ISO‑2022‑JP encoder in Lexbor fails to reset the temporary size | variable between iterations. The statement ctx->buffer_used -= size | with a stale size = 3 causes an integer underflow that wraps to | SIZE_MAX. Afterwards, memcpy is called with a negative length, | leading to an out‑of‑bounds read from the stack and an out‑of‑bounds | write to the heap. The source data is partially controllable via the | contents of the DOM tree. This vulnerability is fixed in 2.7.0. CVE-2026-29079[1]: | Lexbor is a web browser engine library. Prior to 2.7.0, a | type‑confusion vulnerability exists in Lexbor’s HTML fragment | parser. When ns = UNDEF, a comment is created using the “unknown | element” constructor. The comment’s data are written into the | element’s fields via an unsafe cast, corrupting the qualified_name | field. That corrupted value is later used as a pointer and | dereferenced near the zero page. This vulnerability is fixed in | 2.7.0. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-29078 https://www.cve.org/CVERecord?id=CVE-2026-29078 https://github.com/lexbor/lexbor/security/advisories/GHSA-mrwr-xh7f-96v3 [1] https://security-tracker.debian.org/tracker/CVE-2026-29079 https://www.cve.org/CVERecord?id=CVE-2026-29079 https://github.com/lexbor/lexbor/security/advisories/GHSA-mrpr-v36q-2vp8 Regards, Salvatore
