CVE-2026-42258 Unknown Vendor CVE debrief

Who should care

Teams maintaining Ruby applications that depend on the net-imap gem, especially if application code passes symbol arguments into IMAP command methods.

Technical summary

The vulnerability allows symbol arguments supplied to Net::IMAP commands to be interpreted in a way that can inject CRLF content or alter the resulting IMAP command stream. The NVD metadata maps this to CWE-77 and CWE-93 and records the issue as fixed by Net::IMAP releases 0.4.24, 0.5.14, and 0.6.4.

Defensive priority

Medium priority for Ruby environments that use Net::IMAP; prioritize upgrade if the library is present in production or handles externally influenced input.

Recommended defensive actions

• Upgrade Net::IMAP to 0.4.24, 0.5.14, or 0.6.4, depending on the branch you use.
• Inventory Ruby services and gems to confirm whether net-imap is present and which version is deployed.
• Review code paths that pass symbol arguments into IMAP command methods and remove any dependence on externally influenced values.
• After upgrading, test IMAP workflows that use symbol arguments to confirm expected behavior.
• If immediate upgrading is not possible, restrict or avoid the affected call patterns until the patched version is deployed.

Evidence notes

This debrief is based on the official NVD CVE metadata and GitHub Security Advisory references supplied in the source corpus. The source record identifies Net::IMAP in Ruby as the affected component, describes symbol-argument CRLF / IMAP command injection, and lists fixed versions 0.4.24, 0.5.14, and 0.6.4. Weakness mappings in the source record include CWE-77 and CWE-93.

Official resources