PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42256 Unknown Vendor CVE debrief

CVE-2026-42256 is a client-side denial-of-service issue in Ruby's Net::IMAP library. When a connection authenticates with SCRAM-SHA1 or SCRAM-SHA256, a hostile IMAP server can send an excessively large iteration count that causes the client process to burn CPU during authentication. The issue is fixed in Net::IMAP 0.4.24, 0.5.14, and 0.6.4.

Vendor
Unknown Vendor
Product
Unknown
CVSS
MEDIUM 6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Teams running Ruby applications that use Net::IMAP and authenticate to IMAP servers with SCRAM-SHA1 or SCRAM-SHA256 should care, especially if the server may be untrusted, externally controlled, or reachable over the internet.

Technical summary

The CVE record says Net::IMAP versions 0.4.0 through before 0.4.24, 0.5.0 through before 0.5.14, and 0.6.0 through before 0.6.4 are affected. During SCRAM-SHA1 or SCRAM-SHA256 authentication, a server can supply a large iteration count value that triggers excessive computation in the client. The result is a denial of service against the client process, not a server compromise. The NVD entry assigns CVSS 4.0 vector elements consistent with network reachability and high availability impact.

Defensive priority

Medium. The impact is availability-focused and requires interaction with a malicious or hostile IMAP server, but affected clients may be exposed during routine mail authentication.

Recommended defensive actions

  • Upgrade Net::IMAP to a fixed release: 0.4.24, 0.5.14, or 0.6.4, depending on the version line in use.
  • Inventory Ruby applications and services that use Net::IMAP so you can confirm whether SCRAM-SHA1 or SCRAM-SHA256 authentication is enabled.
  • Treat IMAP servers you do not fully trust as higher risk until patched clients are deployed.
  • Monitor for unusual CPU spikes or authentication stalls in mail-related workers, which may indicate exposure to this issue.
  • If immediate upgrading is not possible, reduce exposure by avoiding SCRAM-based authentication to untrusted servers until the patch is applied.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record metadata, and the GitHub security-advisory references listed in the source corpus. The supplied record states the affected version ranges, the hostile-server iteration-count trigger, and the fixed releases. The CVSS data and CWE mappings come from the NVD entry metadata. No additional claims were inferred beyond those sources.

Official resources

Published in the supplied CVE record on 2026-05-09. The source corpus does not indicate KEV listing or ransomware association.