CVE-2026-42257
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42257
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.6.4
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.5.14
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.4.24
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
| debian | bullseye | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | net-imap | <~> 0.4.24 | ~> 0.4.24 |
| RubyGems | net-imap | >=0.6.0,<0.6.4 | 0.6.4 |
| RubyGems | net-imap | >=0.5.0,<0.5.14 | 0.5.14 |
| RubyGems | net-imap | <0.4.24 | 0.4.24 |
| RUBYGEMS | net-imap | >= 0, <= 0.4.23 | 0.4.24 |
| RUBYGEMS | net-imap | >= 0.5.0, <= 0.5.13 | 0.5.14 |
| RUBYGEMS | net-imap | >= 0.6.0, <= 0.6.3 | 0.6.4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ruby-lang | net\ | {"endExcluding":"0.4.24"} | 0.4.24 |
References
- https://github.com/ruby/net-imap/security/advisories/GHSA-hm49-wcqc-g2xg
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-42257
- https://github.com/ruby/net-imap/commit/0ec4fd351263e8b9a4f683713427827b7b1ad974
- https://github.com/ruby/net-imap/commit/47c72186d272441878ca73c9499f66013829ca2f
- https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b
- https://github.com/ruby/net-imap/commit/a4f7649c3da77dec7631f03a037a478eb4330048
- https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71
- https://github.com/ruby/net-imap
- https://security-tracker.debian.org/tracker/CVE-2026-42257
- https://github.com/advisories/GHSA-hm49-wcqc-g2xg
CWEs
CWE-77 CWE-93
Verify integrity in audit chain (admin only). AS-IS.