CVE-2026-42256

EUVD-2026-28925
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 21%
Affected Products (NVD)
VendorProductVersion
ruby-langnet\
0.4.0 ≤
𝑥
< 0.4.24
ruby-langnet\
0.5.0 ≤
𝑥
< 0.5.14
ruby-langnet\
0.6.0 ≤
𝑥
< 0.6.4
𝑥
= Vulnerable software versions
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby3.4
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-bundled-gems-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-debugsource
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-default-gems
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-devel
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-doc
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-libs-debuginfo
Amazon Linux 2023
0:3.4.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bigdecimal-debuginfo
Amazon Linux 2023
0:3.1.8-27.amzn2023.0.6
fixed
ruby3.4-rubygem-bundler
Amazon Linux 2023
0:2.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-io-console-debuginfo
Amazon Linux 2023
0:0.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-irb
Amazon Linux 2023
0:1.14.3-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-json-debuginfo
Amazon Linux 2023
0:2.9.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-minitest
Amazon Linux 2023
0:5.25.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-power_assert
Amazon Linux 2023
0:2.0.5-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-psych-debuginfo
Amazon Linux 2023
0:5.2.2-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-racc-debuginfo
Amazon Linux 2023
0:1.8.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rake
Amazon Linux 2023
0:13.2.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rbs-debuginfo
Amazon Linux 2023
0:3.8.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rdoc
Amazon Linux 2023
0:6.14.0-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rexml
Amazon Linux 2023
0:3.4.4-27.amzn2023.0.6
fixed
ruby3.4-rubygem-rss
Amazon Linux 2023
0:0.3.1-27.amzn2023.0.6
fixed
ruby3.4-rubygem-test-unit
Amazon Linux 2023
0:3.6.7-27.amzn2023.0.6
fixed
ruby3.4-rubygem-typeprof
Amazon Linux 2023
0:0.30.1-27.amzn2023.0.6
fixed
ruby3.4-rubygems
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
ruby3.4-rubygems-devel
Amazon Linux 2023
0:3.6.9-27.amzn2023.0.6
fixed
Common Weakness Enumeration
References
https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612
https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4
https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758
https://github.com/ruby/net-imap/releases/tag/v0.4.24
https://github.com/ruby/net-imap/releases/tag/v0.5.14
https://github.com/ruby/net-imap/releases/tag/v0.6.4
https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7