CVE-2026-57436
Awaiting Analysis Awaiting Analysis - Queue
Heap Use-After-Free in Nokogiri Ruby XML Library

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57436
EUVD
EUVD-2026-39427
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri 1.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Nokogiri library for Ruby, specifically in the method Document#root=. Before version 1.19.4, this method only checked that the new root was a Nokogiri::XML::Node, but it allowed a Document Type Definition (DTD) node to be set as the root of the document.

Setting a DTD node as the document root leads to a heap use-after-free error during garbage collection or finalization. This means the program might try to access memory that has already been freed, causing invalid memory reads or potentially crashing with a segmentation fault.

The issue affects only the CRuby implementation using libxml2 and requires a programming error to trigger; it cannot be exploited through untrusted input or normal API usage. The vulnerability was fixed in Nokogiri version 1.19.4 by restricting Document#root= to only allow element nodes and raising an error for other node types.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability can cause a heap use-after-free error, which may lead to invalid memory reads or segmentation faults (crashes) in applications using Nokogiri versions prior to 1.19.4.

Because it requires a programming error to trigger and cannot be exploited through normal or untrusted input, the practical impact is limited to potential application instability or crashes rather than remote code execution or data breaches.

Users of affected Nokogiri versions should upgrade to 1.19.4 or later to avoid these issues or ensure that non-element nodes are not assigned as the document root.

Detection Guidance

This vulnerability arises from a programming error where Nokogiri's Document#root= method is set to a non-element node such as a DTD node, causing a heap use-after-free. Detection involves reviewing code that uses Nokogiri to check if Document#root= is assigned to invalid node types.

There are no specific network detection commands or automated scanning tools mentioned for this vulnerability, as it is triggered by improper usage in code rather than network activity.

To detect potential vulnerable usage, you can search your codebase for assignments to Document#root= and verify the node types being assigned.

  • Use grep or similar tools to find assignments: grep -r '\.root=' path/to/your/code
  • Manually inspect or write tests to ensure only element nodes are assigned to Document#root=.
Mitigation Strategies

The primary mitigation is to upgrade Nokogiri to version 1.19.4 or later, where the vulnerability is fixed by restricting Document#root= assignments to element nodes only.

If upgrading is not immediately possible, avoid assigning non-element nodes (such as DTD nodes) to Document#root= in your code to prevent triggering the use-after-free.

Since the vulnerability requires a programming error to trigger and cannot be exploited through untrusted input or normal API usage, careful code review and validation of node assignments can serve as a temporary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57436. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart