Memory Corruption Vulnerability in Nokogiri XML and HTML Library
CVE-2026-57438

2.2LOW

Key Information:

Vendor: Sparklemotion
Status: Nokogiri
Vendor: CVE Published:; 25 June 2026

🔔 Create Sparklemotion Vulnerability Alert

What is CVE-2026-57438?

Nokogiri, a widely used open source library for XML and HTML processing in Ruby, exhibits a memory corruption issue in versions prior to 1.19.4. The problem arises during XInclude substitution, where the Nokogiri::XML::Node#do_xinclude method improperly handles memory. Specifically, it replaces each xi:include node in place, resulting in memory being freed while still exposing Ruby objects that reference these now-freed nodes or their associated namespaces. This mishandling could lead to invalid memory operations, potentially compromising application stability and security. The vulnerability has been addressed in version 1.19.4.

Affected Version(s)

nokogiri < 1.19.4

References

https://github.com/sparklemotion/nokogiri/security/adviso...

x_refsource_CONFIRM

CVSS V4

Score:

2.2

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 24, 2026

CVE-2026-57438 Data

JSON