CVE-2026-42256

Summary

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Affected Software

VendorProductVersion RangeStatus
rubynet-imap>= 0.4.0, < 0.4.24affected
rubynet-imap>= 0.5.0, < 0.5.14affected
rubynet-imap>= 0.6.0, < 0.6.4affected

Weaknesses

  • CWE-1322: CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context
  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References