CVE-2026-57435
Awaiting Analysis Awaiting Analysis - Queue
Use-After-Free in Nokogiri Ruby XML Library

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57435
EUVD
EUVD-2026-39426
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri 1.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a Use-After-Free issue in Nokogiri's CRuby native extension. It happens when Ruby code accesses an attribute's child node before replacing the attribute's value. During this process, the native child node is freed, but the Ruby wrapper object still points to this freed memory. Later, if the freed child node is accessed again or during Ruby's garbage collection, it can cause the program to read invalid memory, potentially leading to a segmentation fault (crash).

The problem occurs specifically when using the methods `Nokogiri::XML::Attr#value=` or `#content=` to set an attribute's value. This vulnerability requires an unusual pattern of API usage and is considered low severity. It was fixed in Nokogiri version 1.19.4 by preserving already-wrapped attribute child nodes before replacing the value.

Impact Analysis

This vulnerability can cause your Ruby application using Nokogiri to crash unexpectedly due to segmentation faults caused by invalid memory access. Such crashes can lead to denial of service or instability in applications that process XML or HTML data using Nokogiri.

However, the vulnerability requires a specific and unusual usage pattern of the Nokogiri API, so it may not be easily exploitable in typical use cases. Upgrading to Nokogiri 1.19.4 or later mitigates this risk.

Detection Guidance

This vulnerability arises from a specific use-after-free condition in Nokogiri's CRuby native extension when setting an attribute value via Nokogiri::XML::Attr#value= or #content=, particularly if Ruby code accesses an attribute child node before replacing the attribute value.

Detection would involve identifying if your Ruby applications use Nokogiri versions prior to 1.19.4 and if they perform the unusual API usage pattern that triggers this issue.

There are no explicit commands or network detection methods provided in the available resources.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Nokogiri to version 1.19.4 or later, where this vulnerability is fixed by preserving already-wrapped attribute child nodes before replacing the value.

Avoid using the affected API pattern where an attribute child node is accessed before replacing the attribute value, if upgrading is not immediately possible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57435. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart