Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Net::IMAP versions 0.4.0 through before 0.4.24, 0.5.0 through before 0.5.14, and 0.6.0 through before 0.6.4. When an IMAP client authenticates with SCRAM‑SHA1 or SCRAM‑SHA256, a malicious server can cause a denial‑of‑service by sending a very large iteration count value. The client then performs excessive cryptographic iterations, consuming CPU and memory until the process becomes unresponsive or crashes. The weakness is related to CWE‑1322 (Improper Validation of Cryptographic Parameters), CWE‑770 (Allocation of Resources on Demand Without Limits), and CWE‑606 (Unchecked Input for Loops).

Affected Systems

Ruby Net::IMAP clients in the Ruby net‑imap library—specifically version ranges 0.4.0 to 0.4.23, 0.5.0 to 0.5.13, and 0.6.0 to 0.6.3—are affected. The issue has been patched in releases 0.4.24, 0.5.14, and 0.6.4, and later versions are safe.

Risk and Exploitability

The CVSS score is 6, indicating a medium severity. EPSS score is 0.00066 (<1%), indicating a very low exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an untrusted IMAP server that an attacker controls; by sending a high iteration count during SCRAM authentication, the attacker forces the client to expend an unreasonable amount of CPU time, leading to a denial of service. The exploit requires no prior compromise of the client and only depends on the authenticity of the server side of the conversation.

Generated by OpenCVE AI on May 16, 2026 at 01:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Net::IMAP gem to version 0.4.24, 0.5.14, 0.6.4, or later to apply the vendor patch
  • If SCRAM authentication is not required for your workflow, disable SCRAM‑SHA1 and SCRAM‑SHA256 in the client configuration to eliminate the attack surface
  • Restrict outbound IMAP connections to trusted, hardened servers and monitor client resource usage to detect and mitigate anomalous CPU consumption

Generated by OpenCVE AI on May 16, 2026 at 01:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87pf-fpwv-p7m7 net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
History

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang net\
CPEs cpe:2.3:a:ruby-lang:net\:\:imap:*:*:*:*:*:ruby:*:*
Vendors & Products Ruby-lang net\

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-606
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Ruby-lang
Ruby-lang net::imap
Vendors & Products Ruby-lang
Ruby-lang net::imap

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
Weaknesses CWE-1322
CWE-770
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Ruby-lang Net::imap Net\
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T17:04:42.562Z

Reserved: 2026-04-26T11:53:27.704Z

Link: CVE-2026-42256

cve-icon Vulnrichment

Updated: 2026-05-11T17:04:36.128Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T20:16:28.313

Modified: 2026-05-18T18:06:58.657

Link: CVE-2026-42256

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-09T19:38:33Z

Links: CVE-2026-42256 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T02:00:12Z

Weaknesses