CVE-2026-42256 Overview
CVE-2026-42256 is a denial-of-service vulnerability in the Ruby Net::IMAP library, which implements Internet Message Access Protocol (IMAP) client functionality. The flaw affects versions 0.4.0 through 0.4.23, 0.5.0 through 0.5.13, and 0.6.0 through 0.6.3. When a client authenticates using SCRAM-SHA1 or SCRAM-SHA256, a hostile IMAP server can send an excessively large iteration count value. The client process then performs an unbounded key derivation computation, exhausting CPU resources. The issue is fixed in versions 0.4.24, 0.5.14, and 0.6.4, and is tracked under [CWE-770: Allocation of Resources Without Limits or Throttling].
Critical Impact
A malicious IMAP server can trigger sustained CPU exhaustion in any Ruby client using SCRAM-based authentication, disrupting availability of mail-handling applications.
Affected Products
- Ruby Net::IMAP versions 0.4.0 to 0.4.23
- Ruby Net::IMAP versions 0.5.0 to 0.5.13
- Ruby Net::IMAP versions 0.6.0 to 0.6.3
Discovery Timeline
- 2026-05-09 - CVE-2026-42256 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42256
Vulnerability Analysis
The vulnerability resides in the Salted Challenge Response Authentication Mechanism (SCRAM) implementation within Net::IMAP. SCRAM authentication requires the client to derive a salted password using PBKDF2 with an iteration count supplied by the server. The Ruby client does not enforce an upper bound on this iteration count. When a hostile or compromised IMAP server returns an extremely large iteration count, the client performs the corresponding number of HMAC computations. This consumes CPU time on the client process and blocks legitimate work. The attack requires only that the victim initiate an IMAP authentication exchange against the attacker's server.
Root Cause
The root cause is missing input validation on the iteration count (often referred to as i=) value returned in the server-first SCRAM message. The client treats the value as trusted and feeds it directly into the PBKDF2 loop. Without a sanity cap, the loop scales linearly with the attacker-controlled value, mapping cleanly to [CWE-770].
Attack Vector
The attack is network-based and requires user interaction in that the client must initiate authentication. An attacker operates a malicious IMAP server, or hijacks a connection, and waits for a Ruby client configured to use SCRAM-SHA1 or SCRAM-SHA256. During the SCRAM handshake the attacker returns a crafted server-first message containing an iteration count many orders of magnitude beyond legitimate values. The Ruby client then enters a long-running key derivation that stalls the process. Repeated connections amplify the impact. Verified technical details are available in the GitHub Security Advisory GHSA-87pf-fpwv-p7m7 and the upstream commits 158d0b5, 808001b, and 99f59ea.
Detection Methods for CVE-2026-42256
Indicators of Compromise
- Ruby processes pinning a CPU core at 100% shortly after initiating an outbound IMAP session.
- IMAP authentication exchanges that stall after the server-first SCRAM message without completing the client-final message.
- Outbound IMAP (tcp/143, tcp/993) connections to untrusted or newly observed hostnames from application servers.
Detection Strategies
- Inspect IMAP traffic for SCRAM server-first messages containing iteration counts beyond the typical range of 4096 to 600000.
- Inventory deployed Ruby applications and gem manifests for net-imap versions older than 0.4.24, 0.5.14, or 0.6.4.
- Correlate IMAP session start events with sustained per-process CPU spikes on the same host.
Monitoring Recommendations
- Alert on long-running Ruby worker processes that hold a single thread saturated while a TCP connection to an IMAP service remains open.
- Log and review IMAP server endpoints used by automation, ticketing, and mail-processing pipelines for unexpected destinations.
- Track net-imap gem versions through software composition analysis on every build.
How to Mitigate CVE-2026-42256
Immediate Actions Required
- Upgrade net-imap to 0.4.24, 0.5.14, or 0.6.4 depending on the branch in use.
- Audit all Ruby services that connect to external or user-supplied IMAP servers and prioritize them for patching.
- Restrict outbound IMAP connections to an allowlist of trusted mail servers.
Patch Information
Fixed releases are published as v0.4.24, v0.5.14, and v0.6.4. The patches add an upper bound on the SCRAM iteration count parsed from the server-first message. Update the gem dependency in Gemfile and run bundle update net-imap to apply the fix.
Workarounds
- Disable SCRAM-SHA1 and SCRAM-SHA256 authentication mechanisms and use an alternative supported method where feasible.
- Constrain client IMAP connections to known, trusted servers using egress firewall rules until patching is complete.
- Run IMAP client code in isolated worker processes with CPU time limits to contain the impact of a stalled handshake.
# Update the gem to a fixed release
bundle update net-imap
# Verify the installed version is patched
gem list net-imap
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
