CVE-2026-57236
Awaiting Analysis Awaiting Analysis - Queue
Memory Corruption in Nokogiri Ruby Library

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57236
EUVD
EUVD-2026-39419
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nikogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri to 1.19.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a Use-After-Free issue in the Nokogiri library for Ruby, specifically in the CRuby (libxml2) implementation. When the method Document#encoding= is called with an invalid encoding (such as a non-string or a string containing a null byte), it raises an exception but frees the document's current encoding string before replacing it. This leaves the document referencing freed memory, which can cause a segmentation fault (crash) or memory leaks when the encoding is accessed afterward.

The vulnerability requires an unusual usage pattern where an invalid encoding is passed, the exception is rescued, and the document is reused. It does not affect JRuby implementations. The issue was fixed in Nokogiri version 1.19.4.

Impact Analysis

This vulnerability can cause your application to crash due to segmentation faults or leak memory by exposing freed bytes into Ruby strings. This can lead to instability or denial of service in applications using Nokogiri with the affected versions if they pass invalid encodings to Document#encoding= and handle exceptions in a way that reuses the document.

Since the vulnerability requires an unusual API usage pattern and is classified as low severity, the impact is generally limited but could still affect application reliability and resource usage.

Detection Guidance

This vulnerability arises from an unusual API usage pattern where an invalid encoding is passed to Nokogiri::XML::Document#encoding=, causing an exception and use-after-free condition. Detection involves identifying if your system is running a vulnerable version of Nokogiri (prior to 1.19.4) and if the application code calls Document#encoding= with potentially invalid or attacker-controlled inputs.

There are no specific network detection commands or signatures provided for this vulnerability. Instead, detection should focus on verifying the Nokogiri version and reviewing application code for unsafe usage of Document#encoding=.

  • Check Nokogiri version installed: `gem list nokogiri` or `bundle list | grep nokogiri`
  • Search codebase for calls to `Document#encoding=` to identify potential unsafe usage.
  • Monitor application logs for segfaults or memory errors related to XML processing.
Mitigation Strategies

The primary mitigation step is to upgrade Nokogiri to version 1.19.4 or later, where this vulnerability is fixed.

Alternatively, avoid passing invalid or attacker-controlled values to Document#encoding= to prevent triggering the use-after-free condition.

Review and sanitize inputs to ensure encoding values are valid strings without null bytes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57236. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart