CVE-2026-57436
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
Vulnerability in the Nokogiri library for Ruby allows setting a DTD node as the document root, leading to a heap use-after-free during garbage collection or finalization, resulting in invalid memory read or potential segfault.
Risk Assessment
An attacker can cause application crashes (segfault) or unpredictable behavior, potentially leading to denial of service or memory information disclosure.
Recommendation
Immediately update Nokogiri to version 1.19.4 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.

