CVE-2026-42256
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
09/05/2026
Last modified:
18/05/2026
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Impact
Base Score 4.0
6.00
Severity 4.0
MEDIUM
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* | 0.4.0 (including) | 0.4.24 (excluding) |
| cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* | 0.5.0 (including) | 0.5.14 (excluding) |
| cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:* | 0.6.0 (including) | 0.6.4 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612
- https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4
- https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7