CVE-2026-57438
Undergoing Analysis Undergoing Analysis - In Progress
Memory Corruption in Nokogiri via XInclude Substitution

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-57438
EUVD
EUVD-2026-39429
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (inc)
sparklemotion nokogiri to 1.19.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free issue in Nokogiri's XInclude processing. When Nokogiri::XML::Node#do_xinclude replaces each <xi:include> node, it frees that node and its children, including any namespaces declared on them. However, if an application had already exposed those nodes or namespaces to Ruby, the Ruby objects would still reference the freed memory. Using these objects could cause invalid memory reads or writes.

The problem affects the CRuby implementation of Nokogiri and is fixed in version 1.19.4 by performing substitutions on defensive copies, preventing the use-after-free condition.

Impact Analysis

This vulnerability can lead to invalid memory reads or writes if an application uses Ruby objects that reference freed memory after XInclude substitution. This could potentially cause application crashes or unpredictable behavior.

However, the severity is considered low because exploiting this issue requires an unusual API usage pattern that is not common in normal operations.

Detection Guidance

This vulnerability arises from a use-after-free condition in Nokogiri's XInclude processing when using the Nokogiri::XML::Node#do_xinclude method. Detection involves identifying if your Ruby application uses Nokogiri versions prior to 1.19.4 and specifically calls do_xinclude in a way that exposes freed nodes or namespaces.

There are no specific network detection commands or signatures since this is a memory management issue within the Ruby application using Nokogiri. Instead, detection should focus on checking the Nokogiri version and reviewing application code for usage of do_xinclude.

  • Check Nokogiri version installed: `gem list nokogiri` or `bundle list | grep nokogiri`
  • Search your Ruby codebase for usage of `do_xinclude` method: `grep -r 'do_xinclude' ./`
  • If possible, enable debugging or memory analysis tools to detect invalid memory reads/writes during runtime, though this requires advanced debugging.
Mitigation Strategies

The primary mitigation is to upgrade Nokogiri to version 1.19.4 or later, where the vulnerability is fixed by performing XInclude substitutions on defensive copies.

As a workaround, if upgrading is not immediately possible, perform XInclude substitution at parse time using the xinclude option instead of calling do_xinclude later.

Avoid exposing nodes or namespaces to Ruby objects before XInclude processing to reduce the risk of use-after-free conditions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart