CVE-2026-42256
published 2026-05-09CVE-2026-42256: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and…
PriorityP434medium6.5CVSS 3.1
AVNACLPRNUIRSUCNINAH
EPSS
0.30%
21.5th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp2 | zync-rhel8 | — | — |
| 3scale-amp2 | zync-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp21 | zync | — | — |
| 3scale-amp22 | system | — | — |
| 3scale-amp22 | zync | — | — |
| debian | ruby3.3 | — | — |
| ruby-lang | net | >= 0.4.0 < 0.4.24 | 0.4.24 |
| ruby-lang | net | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby-lang | net | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby-lang | ruby | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | >= 0.4.0 < 0.4.24 | 0.4.24 |
| ruby | net-imap | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby | net-imap | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby_3.3 | ruby | — | — |
| ruby_4.0 | ruby | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvdv4.06.0MEDIUMCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat6.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP blocking code in single-threaded, non-blocking context (GHSA-87pf-fpwv-p7m7)
vuldb·2026-05-18·CVSS 6.0
CVE-2026-42256 [MEDIUM] ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP blocking code in single-threaded, non-blocking context (GHSA-87pf-fpwv-p7m7)
A vulnerability marked as problematic has been reported in ruby net-imap up to 0.4.23/0.5.13/0.6.3. Affected is the function Net::IMAP. The manipulation leads to use of blocking code in single-threaded, non-blocking context.
This vulnerability is documented as CVE-2026-42256. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
ghsa·2026-05-04
CVE-2026-42256 [MEDIUM] CWE-1322 net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
### Summary
When authenticating a connection with `SCRAM-SHA1` or `SCRAM-SHA256`, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value.
### Details
A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the SCRAM server-first-message, causing the client to perform an expensive `OpenSSL::KDF.pbkdf2_hmac` call. Because the PBKDF2 function is a blocking C extension and holds onto Ruby’s Global VM Lock, it can freeze the entire Ruby VM for the duration of the computation.
OpenSSL enforces an effective maximum by using a 32-bit signed integer for the iteration count, Depending on hardware capabili
Red Hat
ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
vendor_redhat·2026-05-09·CVSS 6.0
CVE-2026-42256 [MEDIUM] CWE-606 ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
A flaw was found in Net::IMAP, a Ruby library for Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit this vulnerability during SCRAM-SHA1 or SCRAM-SHA256 (Salted Challenge Response Authentication Mechanism - Secure Hash Algorithm 1 or 256) authentication by sending an excessively large iteration count value. This can lead to a computational denial-of-service attack, causing the client process to become unresponsive.
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or st
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42256 ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
bugzilla·2026-05-09·CVSS 6.0
CVE-2026-42256 [MEDIUM] CVE-2026-42256 ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
CVE-2026-42256 ruby/net-imap: ruby: Net::IMAP: Denial of Service via large iteration count in SCRAM authentication
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758https://github.com/ruby/net-imap/releases/tag/v0.4.24https://github.com/ruby/net-imap/releases/tag/v0.5.14https://github.com/ruby/net-imap/releases/tag/v0.6.4https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7
2026-05-09
Published