High severity7.5GHSA Advisory· Published May 9, 2026· Updated May 18, 2026
CVE-2026-42245
CVE-2026-42245
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net-imapRubyGems | >= 0.6.0, < 0.6.4 | 0.6.4 |
net-imapRubyGems | >= 0.5.0, < 0.5.14 | 0.5.14 |
net-imapRubyGems | < 0.4.24 | 0.4.24 |
Affected products
61- osv-coords60 versionspkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-18.7pkg:apk/chainguard/gitlab-rails-ce-18.8pkg:apk/chainguard/gitlab-rails-ce-18.9pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/logstash-fips-9.3pkg:apk/chainguard/logstash-fips-9.3-iamguarded-compatpkg:apk/chainguard/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-net-imappkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.3-net-imappkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.1pkg:apk/chainguard/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.4-net-imappkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.1pkg:apk/chainguard/ruby4.0-net-imappkg:apk/chainguard/ruby4.0-rails-7.2pkg:apk/chainguard/ruby4.0-rails-8.0pkg:apk/chainguard/ruby4.0-rails-8.1pkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-net-imappkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.3-net-imappkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.1pkg:apk/wolfi/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.4-net-imappkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.1pkg:apk/wolfi/ruby4.0-net-imappkg:apk/wolfi/ruby4.0-rails-8.1pkg:gem/net-imap
< 18.1.6-r10+ 59 more
- (no CPE)range: < 18.1.6-r10
- (no CPE)range: < 18.10.5-r1
- (no CPE)range: < 18.11.3-r1
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.7.6-r3
- (no CPE)range: < 18.8.9-r1
- (no CPE)range: < 18.9.7-r2
- (no CPE)range: < 18.10.4-r1
- (no CPE)range: < 18.11.3-r2
- (no CPE)range: < 18.3.6-r7
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.9.6-r1
- (no CPE)range: < 1.18.2-r70
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 1.18.2-r70
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: >= 0.6.0, < 0.6.4
Patches
Vulnerability mechanics
References
10- github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96nvdPatchWEB
- github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfdanvdPatchWEB
- github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819nvdPatchWEB
- github.com/advisories/GHSA-q2mw-fvj9-vvcwghsaADVISORY
- github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcwnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42245ghsaADVISORY
- github.com/ruby/net-imap/releases/tag/v0.4.24nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.5.14nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.6.4nvdRelease NotesWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42245.ymlghsaWEB
News mentions
0No linked articles in our index yet.