CVE-2026-42245 Overview
CVE-2026-42245 is a denial-of-service vulnerability in the Ruby Net::IMAP library, which implements Internet Message Access Protocol (IMAP) client functionality. The flaw resides in Net::IMAP::ResponseReader, which exhibits quadratic time complexity when parsing large server responses containing many string literals. A hostile IMAP server can return crafted responses that force the client to exhaust CPU resources. The issue is patched in versions 0.4.24, 0.5.14, and 0.6.4. The vulnerability is classified under [CWE-407] (Inefficient Algorithmic Complexity).
Critical Impact
A malicious IMAP server can deliver responses that drive a connected Ruby client into prolonged CPU saturation, causing denial of service on the client process.
Affected Products
- Ruby net-imap gem versions prior to 0.4.24 (0.4.x branch)
- Ruby net-imap gem versions prior to 0.5.14 (0.5.x branch)
- Ruby net-imap gem versions prior to 0.6.4 (0.6.x branch)
Discovery Timeline
- 2026-05-09 - CVE-2026-42245 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42245
Vulnerability Analysis
The vulnerability is an algorithmic complexity flaw in the response parser. Net::IMAP::ResponseReader accumulates data into an internal buffer (@buff) while iteratively reading lines and embedded string literals. When the server response contains many string literals, the read loop performs work that scales quadratically with input size rather than linearly. An attacker controlling the IMAP server can therefore force the Ruby client to consume CPU disproportionate to bandwidth used, resulting in client-side denial of service. The CVSS 4.0 vector indicates that only availability of the vulnerable component is impacted, with no effect on confidentiality or integrity.
Root Cause
The read_response_buffer method in lib/net/imap/response_reader.rb did not enforce a maximum response size, and its handling of literal-size bookkeeping caused repeated work across iterations. Without a guard on cumulative response size, large multi-literal responses are processed with non-linear performance characteristics.
Attack Vector
Exploitation requires a Ruby application to connect to an attacker-controlled or compromised IMAP server. Once connected, the server returns a crafted response containing many string literals, and the client's ResponseReader enters a CPU-bound parsing path. No authentication on the client side is required for the server to deliver the malicious response.
# Patch excerpt from lib/net/imap/response_reader.rb
# Source: https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819
def initialize(client, sock)
@client, @sock = client, sock
# cached config
@max_response_size = nil
# response buffer state
@buff = @literal_size = nil
end
def read_response_buffer
@max_response_size = client.max_response_size
@buff = String.new
catch :eof do
while true
guard_response_too_large!
read_line
# check before allocating memory for literal
guard_response_too_large!
break unless literal_size
read_literal
end
end
buff
ensure
@buff = @literal_size = nil
end
The fix introduces guard_response_too_large! checks before reading a line and before allocating memory for a literal, and caches max_response_size from the client configuration. Backport commits 6091f7d6 (0.5.x) and 88d95231 (0.4.x) apply equivalent state-tracking changes.
Detection Methods for CVE-2026-42245
Indicators of Compromise
- Ruby processes using the net-imap gem exhibiting sustained 100% CPU usage shortly after establishing an IMAP session.
- Long-running or hung IMAP client threads with stack frames inside Net::IMAP::ResponseReader#read_response_buffer.
- Outbound IMAP connections to untrusted or unexpected mail servers from application hosts.
Detection Strategies
- Inventory Ruby applications and Bundler lockfiles to identify uses of net-imap at versions below 0.4.24, 0.5.14, or 0.6.4.
- Instrument IMAP client code paths with timing telemetry to detect responses that take disproportionately long to parse relative to byte count.
- Correlate process CPU spikes with active TCP sessions on port 143/993 to identify suspect IMAP peers.
Monitoring Recommendations
- Alert on Ruby worker processes exceeding CPU thresholds while holding an open IMAP socket.
- Log and review IMAP server endpoints configured in application settings, flagging unexpected destinations.
- Track gem dependency drift in CI pipelines and fail builds that pin vulnerable net-imap versions.
How to Mitigate CVE-2026-42245
Immediate Actions Required
- Upgrade the net-imap gem to 0.4.24, 0.5.14, or 0.6.4 depending on the branch currently in use.
- Restrict outbound IMAP connections from application servers to known, trusted mail providers.
- Set a conservative max_response_size on Net::IMAP clients so that the new guard rejects oversized server responses.
Patch Information
The issue is fixed in net-imap0.4.24, 0.5.14, and 0.6.4. See the GitHub Security Advisory GHSA-q2mw-fvj9-vvcw and the release notes for v0.4.24, v0.5.14, and v0.6.4. The primary fix landed in commit de685f91 with backports in 88d95231 and 6091f7d6.
Workarounds
- Connect only to trusted IMAP servers under your administrative control.
- Apply per-request timeouts and CPU/time limits around IMAP client operations so a stalled parse cannot indefinitely consume a worker.
- Configure max_response_size on the IMAP client to bound buffer growth once on a patched version.
# Update the gem to a patched release
bundle update net-imap
# Verify the installed version is patched
ruby -e "require 'net/imap'; puts Net::IMAP::VERSION"
# Expected output: 0.4.24, 0.5.14, or 0.6.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
