CVE-2026-57434
Awaiting Analysis Awaiting Analysis - Queue
NULL Pointer Dereference in Nokogiri Ruby Library

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57434
EUVD
EUVD-2026-39424
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (exc)
sparklemotion nokogiri 1.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57434 is a vulnerability in Nokogiri, a Ruby gem used for parsing and manipulating XML and HTML documents.

The issue arises when certain methods are called on native wrapper classes that inherit from Nokogiri::XML::Node but are allocated without proper initialization using the `.allocate` method.

This causes a null pointer dereference, which leads to a crash of the process.

The vulnerability is fixed in Nokogiri version 1.19.4 by adding checks for missing native data pointers and raising a RuntimeError instead of crashing.

Impact Analysis

This vulnerability can cause your application to crash if it improperly uses the `.allocate` method on Nokogiri native-backed classes without initialization.

However, it is considered low severity because it requires a programming error and cannot be triggered by untrusted input or normal use of the public API.

The main impact is potential denial of service due to process crashes in applications that misuse Nokogiri in this specific way.

Upgrading to Nokogiri 1.19.4 or later and avoiding direct calls to `.allocate` on native-backed classes mitigates this risk.

Detection Guidance

This vulnerability arises from a programming error where methods are called on uninitialized native wrapper classes in Nokogiri. It cannot be triggered by normal use or untrusted input, so detection on a network or system level is not straightforward.

To detect if your application is vulnerable, you should review your Ruby code for any direct calls to the `.allocate` method on Nokogiri native-backed classes, especially those inheriting from Nokogiri::XML::Node.

There are no specific network or system commands provided to detect this vulnerability automatically.

Mitigation Strategies

The primary mitigation is to upgrade Nokogiri to version 1.19.4 or later, where this issue is fixed.

  • Avoid calling `.allocate` directly on Nokogiri native-backed classes.
  • Use the documented constructors and factory methods provided by Nokogiri instead of `.allocate`.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57434. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart