CVE-2026-42258
critical
CVSS v3
9.8
CVSS v2
—
VIR risk
9.8
Description
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Predictions
Exploit likelihood
97%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-42258
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.6.4
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.5.14
Vendor advisory: security-advisories@github.com — https://github.com/ruby/net-imap/releases/tag/v0.4.24
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bullseye | affected | |
| debian | bookworm | affected | |
| debian | forky | affected | |
| debian | sid | affected | |
| debian | trixie | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | net-imap | <~> 0.4.24 | ~> 0.4.24 |
| RubyGems | net-imap | >=0.6.0,<0.6.4 | 0.6.4 |
| RubyGems | net-imap | >=0.5.0,<0.5.14 | 0.5.14 |
| RubyGems | net-imap | <0.4.24 | 0.4.24 |
| RUBYGEMS | net-imap | >= 0, <= 0.4.23 | 0.4.24 |
| RUBYGEMS | net-imap | >= 0.5.0, <= 0.5.13 | 0.5.14 |
| RUBYGEMS | net-imap | >= 0.6.0, <= 0.6.3 | 0.6.4 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| ruby-lang | net\ | {"endExcluding":"0.4.24"} | 0.4.24 |
References
- https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://nvd.nist.gov/vuln/detail/CVE-2026-42258
- https://github.com/ruby/net-imap/commit/6bf02aef7e0b5931010c36e377f79a71636b306b
- https://github.com/ruby/net-imap/commit/9db3e9d60bfb8f3735ea95015bf8a700f4af9cbb
- https://github.com/ruby/net-imap/commit/aec06996eb87a7e1bbcef1f9f8926e8add2b8c71
- https://github.com/ruby/net-imap
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/net-imap/CVE-2026-42258.yml
- https://security-tracker.debian.org/tracker/CVE-2026-42258
- https://github.com/advisories/GHSA-75xq-5h9v-w6px
CWEs
CWE-77 CWE-93
Verify integrity in audit chain (admin only). AS-IS.