Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Published: 2026-05-09
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Net::IMAP versions 0.4.0 through before 0.4.24, 0.5.0 through before 0.5.14, and 0.6.0 through before 0.6.4. When an IMAP client authenticates with SCRAM‑SHA1 or SCRAM‑SHA256, a malicious server can cause a denial-of-service by sending a very large iteration count value. The client then performs excessive cryptographic iterations, consuming CPU and memory until the process becomes unresponsive or crashes. The weakness is related to CWE‑1322 (Improper Validation of Cryptographic Parameters) and CWE‑770 (Allocation of Resources on Demand Without Limits).

Affected Systems

Ruby Net::IMAP clients in the Ruby net-imap library—specifically version ranges 0.4.0 to 0.4.23, 0.5.0 to 0.5.13, and 0.6.0 to 0.6.3—are affected. The issue has been patched in releases 0.4.24, 0.5.14, and 0.6.4, and later versions are safe.

Risk and Exploitability

The CVSS score is 6, indicating a medium severity. EPSS data is not available, so the exploitation probability cannot be quantified, but the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an untrusted IMAP server that an attacker controls; by sending a high iteration count during SCRAM authentication, the attacker forces the client to expend an unreasonable amount of CPU time, leading to a denial of service. The exploit requires no prior compromise of the client and only depends on the authenticity of the server side of the conversation.

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Net::IMAP gem to version 0.4.24, 0.5.14, 0.6.4, or later to apply the vendor patch
  • If SCRAM authentication is not required for your workflow, disable SCRAM-SHA1 and SCRAM-SHA256 in the client configuration to eliminate the attack surface
  • Restrict outbound IMAP connections to trusted, hardened servers and monitor client resource usage to detect and mitigate anomalous CPU consumption

Generated by OpenCVE AI on May 9, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-87pf-fpwv-p7m7 net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication
History

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Title net-imap: Denial of service via high iteration count for `SCRAM-*` authentication
Weaknesses CWE-1322
CWE-770
References
Metrics cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:38:33.106Z

Reserved: 2026-04-26T11:53:27.704Z

Link: CVE-2026-42256

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.313

Modified: 2026-05-09T20:16:28.313

Link: CVE-2026-42256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses