CVE-2026-42257
published 2026-05-09CVE-2026-42257: Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.43%
34.4th percentile
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 3scale-amp2 | system-rhel7 | — | — |
| 3scale-amp2 | system-rhel8 | — | — |
| 3scale-amp2 | system-rhel9 | — | — |
| 3scale-amp2 | zync-rhel8 | — | — |
| 3scale-amp2 | zync-rhel9 | — | — |
| 3scale-amp21 | system | — | — |
| 3scale-amp21 | zync | — | — |
| 3scale-amp22 | system | — | — |
| 3scale-amp22 | zync | — | — |
| debian | ruby3.3 | — | — |
| ruby-lang | net | < 0.4.24 | 0.4.24 |
| ruby-lang | net | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby-lang | net | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby-lang | ruby | — | — |
| ruby | net-imap | < 0.4.24 | 0.4.24 |
| ruby | net-imap | — | — |
| ruby | net-imap | — | — |
| ruby | net-imap | >= 0 < 0.5.15 | 0.5.15 |
| ruby | net-imap | >= 0 < 0.4.24 | 0.4.24 |
| ruby | net-imap | >= 0.5.0 < 0.5.14 | 0.5.14 |
| ruby | net-imap | >= 0.6.0 < 0.6.4.1 | 0.6.4.1 |
| ruby | net-imap | >= 0.6.0 < 0.6.4 | 0.6.4 |
| ruby_3.3 | ruby | — | — |
| ruby_4.0 | ruby | — | — |
| ubuntu | ruby2.3 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CRLF sequences (\r\n) injected into IMAP command arguments sent from a Net::IMAP client to an IMAP server, which may indicate attempted IMAP command injection ↗
- →Monitor IMAP traffic for unexpected command sequences or protocol violations following a single client-initiated command, which may indicate injected commands via CRLF ↗
- →Flag Ruby applications using Net::IMAP versions prior to 0.4.24, 0.5.14, or 0.6.4 that pass user-controlled input directly to IMAP command methods without sanitization ↗
- ·Vulnerable versions of the net-imap gem are 0.4.x prior to 0.4.24, 0.5.x prior to 0.5.14, and 0.6.x prior to 0.6.4; patched versions are 0.4.24, 0.5.14, and 0.6.4 ↗
- ·Multiple Red Hat packages (3scale, RHEL 8/9/10 ruby packages) have fixes deferred or are under investigation, meaning vulnerable versions may remain deployed in those environments for an extended period ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.05.8MEDIUMCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa9.8CRITICAL
vendor_ubuntu7.4HIGH
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Net::IMAP: Denial of Service via incomplete raw argument validation
ghsa·2026-06-09·CVSS 9.8
CVE-2026-47241 [CRITICAL] CWE-162 Net::IMAP: Denial of Service via incomplete raw argument validation
Net::IMAP: Denial of Service via incomplete raw argument validation
### Summary
Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.
### Details
`Net::IMAP::RawData` was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trai
GHSA
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
ghsa·2026-06-09·CVSS 9.8
CVE-2026-47240 [CRITICAL] CWE-77 Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument
Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.
### Details
Raw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the `LITERAL+`, `LITERAL-`, or `IMAP4rev2` capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.
Servers without support for non-synchronizing literals could handle them in several d
VulDB
ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP crlf injection (GHSA-hm49-wcqc-g2xg)
vuldb·2026-05-18·CVSS 5.8
CVE-2026-42257 [MEDIUM] ruby net-imap up to 0.4.23/0.5.13/0.6.3 Net::IMAP crlf injection (GHSA-hm49-wcqc-g2xg)
A vulnerability described as problematic has been identified in ruby net-imap up to 0.4.23/0.5.13/0.6.3. Affected by this vulnerability is the function Net::IMAP. The manipulation results in crlf injection.
This vulnerability is reported as CVE-2026-42257. The attack requires a local approach. No exploit exists.
Upgrading the affected component is recommended.
GHSA
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
ghsa·2026-05-04
CVE-2026-42257 [MEDIUM] CWE-77 net-imap vulnerable to command Injection via "raw" arguments to multiple commands
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
### Summary
Several `Net::IMAP` commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain `CRLF` sequences, which an attacker can use to inject arbitrary IMAP commands.
### Details
`Net::IMAP`'s generic argument handling, used by most command arguments, interprets string arguments as an IMAP `astring`. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a `atom`, `quoted`, or `literal`. These are safe from command or argument injection.
But the following commands transform specific String arguments to `Net::IMAP::RawData`, which bypasses normal
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2026-06-15·CVSS 7.4
CVE-2026-42257 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Ruby could allow unintended access to network services.
It was discovered that Ruby's Net::IMAP library did not properly verify
that Transport Layer Security (TLS) encryption was started after issuing a STARTTLS command. A remote
attacker could possibly use this issue to perform a machine-in-the-middle attack and silently
bypass TLS encryption. (CVE-2026-42246)
It was also discovered that Ruby's Net::IMAP library did not validate
string arguments passed to certain commands. A remote attacker could possibly use this issue to
inject arbitrary IMAP commands. (CVE-2026-42257)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
vendor_redhat·2026-05-09·CVSS 5.8
CVE-2026-42257 [MEDIUM] CWE-93 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
A flaw was found in Net::IMAP, a Ruby library for Internet Message Access Protocol (IMAP) client functionality. Several Net::IMAP commands accept raw string arguments that are sent to the server without proper validation or escaping. If an application uses user-controlled input for these arguments, a remote attacker could inject Carriage Return Line Feed (CRLF) sequences.
Package: 3scale-amp21/system (Red Hat 3scale API Management Platform 2) - Fix deferred
Package: 3scale-amp21/zync (Red Hat 3scale API Management Platform 2) - Fix deferred
Package: 3scale-amp22/system (Red Hat 3scale API Management Platform 2) - Fix deferred
Package: 3scale-amp22/zync (Red Hat 3scale API Management Platform
No detection rules found.
No public exploits indexed.
Rapid7
Patch Tuesday - May 2026
blogs_rapid7·2026-05-13·CVSS 10.0
CVE-2026-41089 [CRITICAL] Patch Tuesday - May 2026
Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday . Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.
## Windows Netlogon: critical RCE
Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089 , which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges
Bugzilla
CVE-2026-42257 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
bugzilla·2026-05-09·CVSS 5.8
CVE-2026-42257 [MEDIUM] CVE-2026-42257 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
CVE-2026-42257 net-imap: Net::IMAP: Arbitrary IMAP command injection via CRLF sequences in unvalidated input
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
2026-05-09
Published