logo

Database

Asymmetric denial of service In net-imap

Description

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-422562. NVD-2026-422563. OSV-2026-422564. OSV-DEBIAN-2026-422565. GHSA-87pf-fpwv-p7m76. GCVE-2026-422567. SECURITY-TRACKER-CVE-2026-42256

References

1. https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m72. https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa6123. https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f44. https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df7585. https://github.com/ruby/net-imap/releases/tag/v0.4.246. https://github.com/ruby/net-imap/releases/tag/v0.5.147. https://github.com/ruby/net-imap/releases/tag/v0.6.48. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42256.yml9. https://www.rfc-editor.org/rfc/rfc7804.html#page-15

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.