CVE-2026-42246
Description
net-imap vulnerable to STARTTLS stripping via invalid response timing
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42246
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.5.14
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.4.24
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.3.10
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | affected | |
| debian | bookworm | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | net-imap | <~> 0.3.10 | ~> 0.3.10 |
| RubyGems | net-imap | >=0.6.0,<0.6.4 | 0.6.4 |
| RubyGems | net-imap | >=0.5.0,<0.5.14 | 0.5.14 |
| RubyGems | net-imap | >=0.4.0,<0.4.24 | 0.4.24 |
| RubyGems | net-imap | <0.3.10 | 0.3.10 |
| RUBYGEMS | net-imap | >= 0, <= 0.3.9 | 0.3.10 |
| RUBYGEMS | net-imap | >= 0.4.0, <= 0.4.23 | 0.4.24 |
| RUBYGEMS | net-imap | >= 0.5.0, <= 0.5.13 | 0.5.14 |
| RUBYGEMS | net-imap | >= 0.6.0, <= 0.6.3 | 0.6.4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ruby-lang | net\ | {"endExcluding":"0.3.10"} | 0.3.10 |
References
- https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp
- https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618
- https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e
- https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c
- https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da
- https://github.com/ruby/net-imap/releases/tag/v0.3.10
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://nvd.nist.gov/vuln/detail/CVE-2026-42246
- https://github.com/ruby/net-imap
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42246.yml
- https://nostarttls.secvuln.info
- https://www.rfc-editor.org/info/rfc8314
- https://security-tracker.debian.org/tracker/CVE-2026-42246
- https://github.com/advisories/GHSA-vcgp-9326-pqcp
CWEs
CWE-392 CWE-393 CWE-636 CWE-754 CWE-841
Verify integrity in audit chain (admin only). AS-IS.