CVE-2026-57434

NameCVE-2026-57434
DescriptionNokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process. This vulnerability is fixed in 1.19.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140769

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-nokogiri (PTS)bullseye1.11.1+dfsg-2vulnerable
bullseye (security)1.11.1+dfsg-2+deb11u1vulnerable
bookworm1.13.10+dfsg-2vulnerable
trixie1.18.2+dfsg-1vulnerable
forky1.19.1+dfsg-1vulnerable
sid1.19.3+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-nokogirisource(unstable)(unfixed)1140769

Notes

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2
Search for package or bug name: Reporting problems