VIR Vulnerability Intelligence Relay

CVE-2026-42245

high
Published 2026-05-04 · Modified 2026-05-14
CVSS v3
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v2
VIR risk
7.5

Description

net-imap has quadratic complexity when reading response literals

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42245

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42245.html

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.6.4

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.5.14

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.4.24

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbookwormaffected
debian debianbullseyeaffected
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsnet-imap<~> 0.4.24~> 0.4.24
ruby RubyGemsnet-imap>=0.6.0,<0.6.40.6.4
ruby RubyGemsnet-imap>=0.5.0,<0.5.140.5.14
ruby RubyGemsnet-imap<0.4.240.4.24
ruby RUBYGEMSnet-imap>= 0, <= 0.4.230.4.24
ruby RUBYGEMSnet-imap>= 0.5.0, <= 0.5.130.5.14
ruby RUBYGEMSnet-imap>= 0.6.0, <= 0.6.30.6.4

Application impact
VendorProductVersionsFixed
ruby ruby-langnet\{"endExcluding":"0.4.24"}0.4.24

References

CWEs

CWE-407

Verify integrity in audit chain (admin only). AS-IS.