Skip to main content

Nokogiri CVE-2026-57436

| EUVDEUVD-2026-39427 LOW
Use After Free (CWE-416)
2026-06-25 GitHub_M
1.7
CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
1.7 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
1.9 LOW

Requires ability to write and deploy application code with the specific API misuse (PR:H, AV:L, AC:H); only availability impact applies.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 25, 2026 - 16:03 EUVD
Source Code Evidence Fetched
Jun 25, 2026 - 15:23 vuln.today
Analysis Generated
Jun 25, 2026 - 15:23 vuln.today

DescriptionCVE.org

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

AnalysisAI

Heap use-after-free in Nokogiri's CRuby implementation (prior to 1.19.4) can corrupt process memory when application code assigns a DTD node as a document root via Document#root=. The root cause is insufficient type validation in the setter, which accepted any Nokogiri::XML::Node subclass rather than restricting to element nodes, leaving libxml2 in an inconsistent internal state that triggers a dangling pointer dereference during Ruby garbage collection or finalization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Application code assigns DTD node to Document#root=
Delivery
libxml2 internal xmlDoc state becomes inconsistent
Exploit
Ruby GC triggers finalization of Nokogiri document object
Execution
libxml2 dereferences freed or mistyped node pointer
Persist
Heap use-after-free causes invalid memory read or segfault
Impact
Ruby process crashes

Vulnerability AssessmentAI

Exploitation Exploitation requires that application code explicitly calls `Nokogiri::XML::Document#root=` with a non-element node - specifically a DTD node or any other `Nokogiri::XML::Node` subclass that is not an element node - in the CRuby implementation of Nokogiri prior to 1.19.4. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is very low, consistent with the CVSS 4.0 score of 1.7. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A Ruby application using Nokogiri on CRuby parses an XML document and, due to a developer error, extracts the DTD node from the document and assigns it as the root via `document.root = document.internal_subset`. At some subsequent point - possibly during a request cycle's cleanup, process shutdown, or garbage collection run - Ruby's GC finalizes the document object, libxml2 attempts to free the DTD node through the root pointer, and the process crashes with a segfault or accesses already-freed heap memory. …
Remediation Upgrade Nokogiri to version 1.19.4 or later; this is the vendor-confirmed patch (GHSA-wjv4-x9w8-wm3h at https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2022-29181 HIGH POC
8.2 May 20

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 8.2), this vulnerability is remotely

CVE-2019-5477 CRITICAL
9.8 Aug 16

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Rub

CVE-2022-23476 HIGH
7.5 Dec 08

Nokogiri is an open source XML and HTML library for the Ruby programming language. Rated high severity (CVSS 7.5), this

CVE-2022-24836 HIGH
7.5 Apr 11

Nokogiri is an open source XML and HTML library for Ruby. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2021-41098 HIGH
7.5 Sep 27

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated high sever

CVE-2026-57235 MEDIUM
6.3 Jun 25

Out-of-bounds read in Nokogiri's `NodeSet#[]` method (all versions before 1.19.4) enables an attacker who can supply a l

CVE-2020-26247 MEDIUM
4.3 Dec 30

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. Rated medium sev

CVE-2026-57234 LOW
2.6 Jun 25

NONET network restriction bypass in Nokogiri's JRuby implementation permits external resource fetching during XML Schema

CVE-2026-57438 LOW
2.2 Jun 25

Use-after-free in Nokogiri's CRuby XInclude processing (versions prior to 1.19.4) can leave Ruby wrapper objects pointin

CVE-2026-57437 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby implementation (versions prior to 1.19.4) allows an application crash via segfault wh

CVE-2026-57435 LOW
1.7 Jun 25

Use-after-free in Nokogiri's CRuby native extension (versions prior to 1.19.4) can corrupt process memory or cause a seg

CVE-2026-57434 LOW
1.7 Jun 25

Null pointer dereference in Nokogiri prior to 1.19.4 crashes the Ruby process when application code incorrectly calls `.

Share

CVE-2026-57436 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy