Description
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
Published: 2026-06-25
Score: 1.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nokogiri, an XML/HTML parser for Ruby, contains a use‑after‑free flaw in the Document#encoding= method. When an invalid encoding is supplied—such as a non‑string or a string with a null byte—the method throws an exception after freeing the current encoding string without replacing it. The document then holds a dangling reference, and a subsequent read of the encoding may access freed memory, potentially causing an application crash or leaking data into Ruby Strings.

Affected Systems

The affected product is the Sparklemotion Nokogiri library, versions earlier than 1.19.4, on the CRuby (libxml2) implementation. JRuby is not impacted.

Risk and Exploitability

The CVSS score is 1.7, indicating low severity, and the EPSS score is not reported. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require local code that constructs a Nokogiri Document and passes an invalid encoding string; there is no known remote exploit, so likelihood of attack remains low.

Generated by OpenCVE AI on June 26, 2026 at 02:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nokogiri to version 1.19.4 or later to eliminate the dangling‑reference bug.
  • Validate encoding input before assigning it to Document#encoding=; ensure it is a proper string without control characters or null bytes.
  • If updating immediately is not possible, restrict local Ruby code that interacts with Nokogiri from passing untrusted data to the encoding setter, applying defensive input filtering to avert the exception and dangling reference.

Generated by OpenCVE AI on June 26, 2026 at 02:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Sparklemotion
Sparklemotion nokogiri
Vendors & Products Sparklemotion
Sparklemotion nokogiri

Fri, 26 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}

threat_severity

Important


Thu, 25 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String. Affects the CRuby (libxml2) implementation only; JRuby is not affected. This vulnerability is fixed in 1.19.4.
Title Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception
Weaknesses CWE-416
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}


Subscriptions

Sparklemotion Nokogiri
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:32:43.266Z

Reserved: 2026-06-24T02:21:33.812Z

Link: CVE-2026-57236

cve-icon Vulnrichment

Updated: 2026-06-25T15:32:39.322Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-25T14:29:14Z

Links: CVE-2026-57236 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:37:30Z

Weaknesses