CVE-2026-57436

NameCVE-2026-57436
DescriptionNokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault. This vulnerability is fixed in 1.19.4.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1140769

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-nokogiri (PTS)bullseye1.11.1+dfsg-2vulnerable
bullseye (security)1.11.1+dfsg-2+deb11u1vulnerable
bookworm1.13.10+dfsg-2vulnerable
trixie1.18.2+dfsg-1vulnerable
forky1.19.1+dfsg-1vulnerable
sid1.19.3+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-nokogirisource(unstable)(unfixed)1140769

Notes

https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h
Search for package or bug name: Reporting problems