Memory Management Flaw in Nokogiri XML Library for Ruby
CVE-2026-57236

1.7LOW

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 25 June 2026

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2026-57236?

Nokogiri, the popular XML and HTML library for Ruby, has a significant memory management flaw affecting versions prior to 1.19.4. This issue occurs when the Document#encoding= method is invoked with an invalid encoding input, such as a non-string or a string containing a null byte. The flaw results in the current encoding string being freed without proper replacement, which leads to the document referencing freed memory. Subsequent calls to Document#encoding may cause segmentation faults or leak freed bytes. This vulnerability specifically impacts the CRuby implementation and does not affect JRuby.

Affected Version(s)

nokogiri < 1.19.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57236 Data

JSON