CVE-2026-29079

Type-confusion in HTML fragment parsing

Publication Date	2026-05-13
Severity	High
Type	Denial of Service
Affected PHP Versions	8.4.0-8.4.20 8.5.0-8.5.5
Fixed Product Versions	ZendPHP 8.4 ZendPHP 8.5

CVE Details

A type-confusion vulnerability exists in Lexbor's HTML fragment parser. When ns = UNDEF, a comment is created using the "unknown element" constructor. The comment's data are written into the element's fields via an unsafe cast, corrupting the qualified_name field. That corrupted value is later used as a pointer and dereferenced near the zero page.

An attacker could craft malicious HTML input that triggers the type-confusion vulnerability when processed by Lexbor's HTML fragment parser. This would corrupt memory and cause a denial of service (DoS) condition, potentially crashing applications.

Recommendations

If parsing HTML using PHP's DOM and XML functionality, we recommend updating to a patched version of PHP.

< View all CVEs