CVE-2026-42256

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612	Patch
https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4	Patch
https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758	Patch
https://github.com/ruby/net-imap/releases/tag/v0.4.24	Release Notes
https://github.com/ruby/net-imap/releases/tag/v0.5.14	Release Notes
https://github.com/ruby/net-imap/releases/tag/v0.6.4	Release Notes
https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:net\:\:imap::::::ruby::*
	cpe:2.3:a:ruby-lang:net\:\:imap::::::ruby::*
	cpe:2.3:a:ruby-lang:net\:\:imap::::::ruby::*

History

18 May 2026, 18:06

Type	Values Removed	Values Added
First Time		Ruby-lang net\ Ruby-lang
CPE		cpe:2.3:a:ruby-lang:net\:\:imap::::::ruby::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 -~~	() https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612 - Patch
References	~~() https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4 -~~	() https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4 - Patch
References	~~() https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758 -~~	() https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758 - Patch
References	~~() https://github.com/ruby/net-imap/releases/tag/v0.4.24 -~~	() https://github.com/ruby/net-imap/releases/tag/v0.4.24 - Release Notes
References	~~() https://github.com/ruby/net-imap/releases/tag/v0.5.14 -~~	() https://github.com/ruby/net-imap/releases/tag/v0.5.14 - Release Notes
References	~~() https://github.com/ruby/net-imap/releases/tag/v0.6.4 -~~	() https://github.com/ruby/net-imap/releases/tag/v0.6.4 - Release Notes
References	~~() https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7 -~~	() https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7 - Mitigation, Vendor Advisory

09 May 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-09 20:16

Updated : 2026-05-18 18:06

NVD link : CVE-2026-42256

Mitre link : CVE-2026-42256

CVE.ORG link : CVE-2026-42256

JSON object : View

Products Affected

ruby-lang

net\

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-1322

Use of Blocking Code in Single-threaded, Non-blocking Context

6.5 /10