CVE-2026-57435
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
A vulnerability in the Nokogiri library (versions prior to 1.19.4) for the Ruby programming language allows a Ruby wrapper to point to freed memory when replacing the value of an XML attribute. This can lead to an invalid read and a possible segfault.
Risk Assessment
The risk involves a potential segfault in applications using Nokogiri for XML processing, which could result in service disruption or information leakage due to uncontrolled memory access.
Recommendation
Immediately update the Nokogiri library to version 1.19.4 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault. This vulnerability is fixed in 1.19.4.

