Denial-of-Service Vulnerability in Net::IMAP by Ruby
CVE-2026-42256

6MEDIUM

Key Information:

Vendor

Ruby

Status
Net-imap
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42256?

The Net::IMAP library in Ruby, versions 0.4.0 up to 0.4.24, 0.5.0 up to 0.5.14, and 0.6.0 up to 0.6.4, is susceptible to a denial-of-service attack when authenticating using SCRAM-SHA1 or SCRAM-SHA256 mechanisms. An attacker can exploit this vulnerability by sending a high iteration count, causing extensive computational load and rendering the client unresponsive. The issue has been addressed in subsequent patches: version 0.4.24, 0.5.14, and 0.6.4. Users are advised to upgrade to the latest versions to secure their applications.

Affected Version(s)

net-imap >= 0.4.0, < 0.4.24 < 0.4.0, 0.4.24

net-imap >= 0.5.0, < 0.5.14 < 0.5.0, 0.5.14

net-imap >= 0.6.0, < 0.6.4 < 0.6.0, 0.6.4

References

https://github.com/ruby/net-imap/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/ruby/net-imap/commit/158d0b505074397cd...
x_refsource_MISC
https://github.com/ruby/net-imap/commit/808001bc45c06f729...
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.