VIR Vulnerability Intelligence Relay

CVE-2026-42256

medium
Published 2026-05-04 · Modified 2026-05-14
CVSS v3
6.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CVSS v2
VIR risk
6.5

Description

net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42256

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-42256.html

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/security/advisories/GHSA-87pf-fpwv-p7m7

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.6.4

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.5.14

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.4.24

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/99f59eab6064955a23debd95410263ad144df758

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/808001bc45c06f7297a7e96d341279e041a7f7f4

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/commit/158d0b505074397cdb5ceb58935e42dd2bcfa612

OS impact
OSVersionStatusFixed in
suse slesaffected
debian debianbullseyeaffected
debian debianbookwormaffected
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsnet-imap!< 0.4.0||<~> 0.4.24~> 0.4.24
ruby RubyGemsnet-imap>=0.6.0,<0.6.40.6.4
ruby RubyGemsnet-imap>=0.5.0,<0.5.140.5.14
ruby RubyGemsnet-imap>=0.4.0,<0.4.240.4.24
ruby RUBYGEMSnet-imap>= 0.4.0, <= 0.4.230.4.24
ruby RUBYGEMSnet-imap>= 0.5.0, <= 0.5.130.5.14
ruby RUBYGEMSnet-imap>= 0.6.0, <= 0.6.30.6.4

Application impact
VendorProductVersionsFixed
ruby ruby-langnet\{"startIncluding":"0.4.0","endExcluding":"0.4.24"}0.4.24

References

CWEs

CWE-770 CWE-1322

Verify integrity in audit chain (admin only). AS-IS.