CVE-2026-42245
Denial of Service in Ruby Net::IMAP Client
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ruby | net_imap | 0.4.24 |
| ruby | net_imap | 0.5.14 |
| ruby | net_imap | 0.6.4 |
| ruby | net_imap | From 0.4.24 (inc) to 0.6.0 (exc) |
| ruby | net_imap | From 0.5.0 (inc) to 0.6.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42245 is a vulnerability in the Ruby net-imap library affecting the Net::IMAP::ResponseReader component. The issue arises because the ResponseReader has quadratic time complexity when processing large IMAP server responses containing many string literals. This means that as the size of the response grows, the CPU time required to process it grows disproportionately, leading to inefficient processing.
A malicious IMAP server can exploit this by sending specially crafted responses that cause the client to consume excessive CPU resources, resulting in a denial of service (DoS) condition. The vulnerability occurs because the response reader rescans the entire growing buffer for each literal, causing O(nΒ²) performance. This can bypass default response size limits and hold the Global VM lock, impacting other threads.
The issue has been fixed in versions 0.4.24, 0.5.14, and 0.6.4 of the ruby/net-imap library by optimizing the ResponseReader to handle large responses more efficiently and avoid the quadratic time complexity.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing a hostile IMAP server to cause your Ruby net-imap client to consume excessive CPU resources when processing large or specially crafted responses. This can lead to a denial of service (DoS) condition where the client becomes unresponsive or slow, potentially affecting the availability of your application or service.
Because the vulnerability holds the Global VM lock during processing, it can also degrade the performance of other threads in your Ruby application, amplifying the impact.
The attack requires only network access and no special privileges or user interaction, making it feasible if your application connects to untrusted or malicious IMAP servers.
Mitigation involves upgrading to patched versions (0.4.24, 0.5.14, or 0.6.4) or reducing the max_response_size setting when connecting to untrusted servers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the Net::IMAP::ResponseReader exhibiting quadratic time complexity when processing large IMAP server responses containing many string literals, leading to excessive CPU usage. Detection involves monitoring for unusually high CPU usage by Ruby processes using the net-imap library when communicating with IMAP servers.
Since the vulnerability is triggered by crafted large IMAP responses, one can detect potential exploitation by capturing and analyzing IMAP traffic for unusually large or numerous string literals in server responses.
Suggested commands to detect symptoms include:
- Use system monitoring tools like `top` or `htop` to identify Ruby processes consuming excessive CPU.
- Capture network traffic on the IMAP port (usually 143 or 993) using `tcpdump` or `wireshark` to inspect server responses for large or suspicious payloads.
- Example tcpdump command: `tcpdump -i <interface> port 143 or port 993 -w imap_traffic.pcap`
- Analyze captured traffic with Wireshark or similar tools to look for large IMAP responses with many string literals.
There are no specific built-in commands or scripts provided in the resources for direct detection of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation for this vulnerability is to upgrade the ruby/net-imap library to a patched version where the issue is fixed.
- Upgrade to version 0.4.24, 0.5.14, or 0.6.4 of ruby/net-imap, as these versions include fixes for the quadratic time complexity vulnerability.
- If upgrading immediately is not possible, reduce the max_response_size setting when connecting to untrusted IMAP servers to limit the size of responses processed.
These steps help prevent denial of service attacks caused by maliciously crafted large IMAP responses.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2026-42245 on compliance with common standards and regulations such as GDPR or HIPAA.