CVE-2026-42245 Unknown Vendor CVE debrief

Who should care

Organizations and developers using Ruby’s Net::IMAP client, especially software that connects to untrusted or third-party IMAP servers. This matters most for applications where IMAP connectivity is automatic, continuous, or customer-facing, because a malicious server can trigger CPU exhaustion in the client.

Technical summary

The flaw is in Net::IMAP::ResponseReader’s response handling. For large responses containing many string literals, the parser exhibits quadratic time complexity, creating an attacker-controlled CPU denial-of-service condition. The source advisory and CVE record point to fixes in net-imap releases 0.4.24, 0.5.14, and 0.6.4, with CWE-407 assigned in the referenced metadata.

Defensive priority

Low severity overall, but prioritize remediation if your Ruby application connects to servers you do not fully trust or if IMAP parsing occurs in shared or high-availability workloads.

Recommended defensive actions

• Upgrade net-imap to a fixed version: 0.4.24, 0.5.14, or 0.6.4, depending on the release line you use.
• Review deployments that connect to third-party or user-supplied IMAP servers, since the issue is triggered by hostile server responses.
• Monitor for unusual CPU spikes in processes that parse IMAP responses, especially when handling large or atypical server replies.
• If immediate upgrading is not possible, reduce exposure by limiting connections to trusted servers and isolating the client workload where feasible.

Evidence notes

The CVE record and NVD source item identify Net::IMAP in Ruby as the affected component and cite GitHub security-advisory references to three fixes and three corresponding release tags. The provided description states the issue is a quadratic-time parsing problem in ResponseReader that allows a hostile server to exhaust client CPU. Published and modified timestamps supplied for the CVE are 2026-05-09T20:16:28.017Z.

Official resources