Bug 2492946 (CVE-2026-57437)

Summary: CVE-2026-57437 nokogiri: Nokogiri: Denial of Service due to improper XPathContext garbage collection
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akostadi, amasferr, anthomas, crizzo, dmayorov, ehelms, eshamard, ggainey, jlledo, jpasqual, juwatts, jvasik, kaycoth, mhulan, nmoumoul, osousa, pantinor, pcreech, rblanco, rchan, rhel-process-autobot, smallamp, tmalecek, tsedmik, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Nokogiri, an XML and HTML library for Ruby. This vulnerability occurs when an application directly constructs an XPathContext and allows its associated document to be garbage collected while the context is still in use. An attacker could potentially exploit this by causing the application to read invalid memory, leading to a denial of service (DoS) through a segmentation fault.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2497301, 2497300    
Bug Blocks:    

Description OSIDB Bzimport 2026-06-25 15:02:33 UTC
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault. This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input. This vulnerability is fixed in 1.19.4.