CVE-2026-29078
Out-of-bounds read and write when traversing DOM contents
| Publication Date | 2026-05-13 |
|---|---|
| Severity | High |
| Type | Information Disclosure |
| Affected PHP Versions |
|
| Fixed Product Versions |
|
CVE Details
The ISO-2022-JP encoder in Lexbor versions prior to 2.7.0 fails to reset a temporary size variable between iterations. This causes an integer underflow that wraps to SIZE_MAX when the statement ctx->buffer_used -= size is executed with a stale size value of 3. Subsequently, memcpy is called with a negative length, leading to an out-of-bounds read from the stack and an out-of-bounds write to the heap. The source data is partially controllable via DOM tree contents.
This could result in:
- Out-of-bounds reads from the stack, potentially exposing sensitive information
- Out-of-bounds writes to the heap, causing memory corruption
- Denial of service through application crashes or undefined behavior
- Potential information disclosure depending on what data is read from the stack and written to heap memory
Network-based exploitation is possible with no user interaction required.
Recommendations
If using the ISO-2022-JP encoding when parsing DOM documents, you should update to a patched version of PHP immediately.