Skip to main content

Nokogiri CVE-2026-57236

| EUVDEUVD-2026-39419 LOW
Use After Free (CWE-416)
2026-06-25 GitHub_M
1.7
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.8 MEDIUM

AC:H captures the three-step exploitation chain; C:L reflects the potential heap byte leak noted in the advisory and information disclosure tag.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 15:20 vuln.today
Analysis Generated
Jun 25, 2026 - 15:20 vuln.today

DescriptionCVE.org

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.

AnalysisAI

Use-after-free in Nokogiri's CRuby (libxml2) implementation allows freed heap memory to be read on subsequent calls to Document#encoding, potentially causing a segmentation fault or leaking stale heap bytes into a Ruby String object. Versions prior to 1.19.4 are affected when the three-step exploitation pattern occurs: an invalid encoding assignment, exception rescue, and continued document use. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Supply null-byte or non-string encoding value to Document#encoding=
Delivery
libxml2 C extension frees internal encoding string pointer
Exploit
Ruby exception raised before pointer is replaced
Execution
Application rescues exception and retains document reference
Persist
Subsequent Document#encoding call dereferences freed memory
Impact
Segfault (process crash) or stale heap bytes leak into Ruby String

Vulnerability AssessmentAI

Exploitation Three specific conditions must align simultaneously for exploitation: (1) the application must pass an attacker-controlled or otherwise invalid encoding value - specifically a non-string or a string containing a null byte - to Document#encoding= on a Nokogiri XML document; (2) the application must rescue the resulting Ruby exception rather than allowing it to propagate, terminate the operation, or replace the document; and (3) the application must subsequently call Document#encoding on the same, now-corrupted document object. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 score of 1.7 (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L) is broadly accurate, with the AT:P (attack requirements: present) metric correctly capturing the non-default exploitation preconditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls input to a Ruby application that passes user-supplied data to Document#encoding= can submit a null-byte-containing string, causing the method to free the internal encoding pointer and raise a Ruby exception. If the application rescues this exception and continues using the same document object - for example, in an error-tolerant document processing pipeline - the next call to Document#encoding reads freed heap memory, either crashing the Ruby process or returning stale heap bytes as a string value. …
Remediation Upgrade to Nokogiri 1.19.4 or later; this is the vendor-released patch (confirmed by GHSA-5v8h-3h3q-446p) and requires no changes to application-level public API usage. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-29181 HIGH POC
8.2 May 20

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely

CVE-2019-5477 CRITICAL
9.8 Aug 16

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub

CVE-2022-23476 HIGH
7.5 Dec 08

Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this

CVE-2022-24836 HIGH
7.5 Apr 11

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2021-41098 HIGH
7.5 Sep 27

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever

CVE-2026-57235 MEDIUM
6.3 Jun 25

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l

CVE-2020-26247 MEDIUM
4.3 Dec 30

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev

CVE-2026-57234 LOW
2.6 Jun 25

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema

CVE-2026-57438 LOW
2.2 Jun 25

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin

CVE-2026-57437 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh

CVE-2026-57436 LOW
1.7 Jun 25

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application cod

CVE-2026-57435 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg

Share

CVE-2026-57236 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy