Use-After-Free Vulnerability in Nokogiri XML/HTML Library by Sparklemotion
CVE-2026-57436

1.7LOW

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 25 June 2026

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2026-57436?

An issue has been identified in Nokogiri, a widely used open source XML and HTML library for Ruby, where the Nokogiri::XML::Document#root= method improperly validated the assignment of a new root node. Before version 1.19.4, this oversight permitted the introduction of a Document Type Definition (DTD) node as the document root. This can lead to a use-after-free during the garbage collection process, potentially resulting in invalid memory reads and segmentation faults, thus undermining the stability and security of applications utilizing this library.

Affected Version(s)

nokogiri < 1.19.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

1.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57436 Data

JSON