CVE-2026-57438
Analyzed Analyzed - Analysis Complete

Memory Corruption in Nokogiri via XInclude Substitution

Vulnerability report for CVE-2026-57438, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-25

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory. This vulnerability is fixed in 1.19.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-25
Last Modified
2026-06-26
Generated
2026-07-15
AI Q&A
2026-06-25
EPSS Evaluated
2026-07-14
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nokogiri nokogiri to 1.19.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is a use-after-free issue in Nokogiri's XInclude processing. When Nokogiri::XML::Node#do_xinclude replaces each <xi:include> node, it frees that node and its children, including any namespaces declared on them. However, if an application had already exposed those nodes or namespaces to Ruby, the Ruby objects would still reference the freed memory. Using these objects could cause invalid memory reads or writes.

The problem affects the CRuby implementation of Nokogiri and is fixed in version 1.19.4 by performing substitutions on defensive copies, preventing the use-after-free condition.

Impact Analysis

This vulnerability can lead to invalid memory reads or writes if an application uses Ruby objects that reference freed memory after XInclude substitution. This could potentially cause application crashes or unpredictable behavior.

However, the severity is considered low because exploiting this issue requires an unusual API usage pattern that is not common in normal operations.

Detection Guidance

This vulnerability arises from a use-after-free condition in Nokogiri's XInclude processing when using the Nokogiri::XML::Node#do_xinclude method. Detection involves identifying if your Ruby application uses Nokogiri versions prior to 1.19.4 and specifically calls do_xinclude in a way that exposes freed nodes or namespaces.

There are no specific network detection commands or signatures since this is a memory management issue within the Ruby application using Nokogiri. Instead, detection should focus on checking the Nokogiri version and reviewing application code for usage of do_xinclude.

  • Check Nokogiri version installed: `gem list nokogiri` or `bundle list | grep nokogiri`
  • Search your Ruby codebase for usage of `do_xinclude` method: `grep -r 'do_xinclude' ./`
  • If possible, enable debugging or memory analysis tools to detect invalid memory reads/writes during runtime, though this requires advanced debugging.
Mitigation Strategies

The primary mitigation is to upgrade Nokogiri to version 1.19.4 or later, where the vulnerability is fixed by performing XInclude substitutions on defensive copies.

As a workaround, if upgrading is not immediately possible, perform XInclude substitution at parse time using the xinclude option instead of calling do_xinclude later.

Avoid exposing nodes or namespaces to Ruby objects before XInclude processing to reduce the risk of use-after-free conditions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57438. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart