Medium severity6.5GHSA Advisory· Published May 9, 2026· Updated May 18, 2026
CVE-2026-42256
CVE-2026-42256
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
net-imapRubyGems | >= 0.6.0, < 0.6.4 | 0.6.4 |
net-imapRubyGems | >= 0.5.0, < 0.5.14 | 0.5.14 |
net-imapRubyGems | >= 0.4.0, < 0.4.24 | 0.4.24 |
Affected products
74- osv-coords73 versionspkg:apk/chainguard/gitlab-rails-ce-18.1pkg:apk/chainguard/gitlab-rails-ce-18.10pkg:apk/chainguard/gitlab-rails-ce-18.11pkg:apk/chainguard/gitlab-rails-ce-18.6pkg:apk/chainguard/gitlab-rails-ce-18.7pkg:apk/chainguard/gitlab-rails-ce-18.8pkg:apk/chainguard/gitlab-rails-ce-18.9pkg:apk/chainguard/gitlab-rails-ce-fips-18.10pkg:apk/chainguard/gitlab-rails-ce-fips-18.11pkg:apk/chainguard/gitlab-rails-ce-fips-18.3pkg:apk/chainguard/gitlab-rails-ce-fips-18.6pkg:apk/chainguard/gitlab-rails-ce-fips-18.9pkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.2pkg:apk/chainguard/logstash-9.2-iamguarded-compatpkg:apk/chainguard/logstash-9.2-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.3-with-output-opensearchpkg:apk/chainguard/logstash-fips-9.3pkg:apk/chainguard/logstash-fips-9.3-iamguarded-compatpkg:apk/chainguard/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.2-net-imappkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.1pkg:apk/chainguard/ruby3.3-net-imappkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.1pkg:apk/chainguard/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/chainguard/ruby3.4-net-imappkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.1pkg:apk/chainguard/ruby4.0-net-imappkg:apk/chainguard/ruby4.0-rails-7.2pkg:apk/chainguard/ruby4.0-rails-8.0pkg:apk/chainguard/ruby4.0-rails-8.1pkg:apk/chainguard/trufflerubypkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.2pkg:apk/wolfi/logstash-9.2-iamguarded-compatpkg:apk/wolfi/logstash-9.2-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.3-with-output-opensearchpkg:apk/wolfi/ruby3.2-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.2-net-imappkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.1pkg:apk/wolfi/ruby3.3-net-imappkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.1pkg:apk/wolfi/ruby3.4-kube-logging-operator-fluentd-outputspkg:apk/wolfi/ruby3.4-net-imappkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.1pkg:apk/wolfi/ruby4.0-net-imappkg:apk/wolfi/ruby4.0-rails-8.1pkg:gem/net-imap
< 18.1.6-r10+ 72 more
- (no CPE)range: < 18.1.6-r10
- (no CPE)range: < 18.10.5-r1
- (no CPE)range: < 18.11.3-r1
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.7.6-r3
- (no CPE)range: < 18.8.9-r1
- (no CPE)range: < 18.9.7-r2
- (no CPE)range: < 18.10.4-r1
- (no CPE)range: < 18.11.3-r2
- (no CPE)range: < 18.3.6-r7
- (no CPE)range: < 18.6.6-r4
- (no CPE)range: < 18.9.6-r1
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 8.19.14-r4
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.0.8-r21
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r2
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 7.2.3.1-r3
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 34.0.1-r2
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.1.10-r7
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.2.8-r3
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 9.3.4-r1
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r1
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: < 6.5.0-r2
- (no CPE)range: < 0.6.3-r0
- (no CPE)range: < 8.0.5-r2
- (no CPE)range: < 8.1.3-r3
- (no CPE)range: < 0.6.4-r0
- (no CPE)range: < 8.1.3-r4
- (no CPE)range: >= 0.6.0, < 0.6.4
Patches
Vulnerability mechanics
References
11- github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612nvdPatchWEB
- github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4nvdPatchWEB
- github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758nvdPatchWEB
- github.com/advisories/GHSA-87pf-fpwv-p7m7ghsaADVISORY
- github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7nvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42256ghsaADVISORY
- github.com/ruby/net-imap/releases/tag/v0.4.24nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.5.14nvdRelease NotesWEB
- github.com/ruby/net-imap/releases/tag/v0.6.4nvdRelease NotesWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42256.ymlghsaWEB
- www.rfc-editor.org/rfc/rfc7804.htmlghsaWEB
News mentions
1- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026