CVE Catalog

CVE-2026-57436

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.33%

25th percentile — higher than 25% of all known CVEs

Summary

Vulnerability in the Nokogiri library for Ruby allows setting a DTD node as the document root, leading to a heap use-after-free during garbage collection or finalization, resulting in invalid memory read or potential segfault.

Risk Assessment

An attacker can cause application crashes (segfault) or unpredictable behavior, potentially leading to denial of service or memory information disclosure.

Recommendation

Immediately update Nokogiri to version 1.19.4 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS