CVE-2026-42256: CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context in ruby net-imap
A vulnerability in the Ruby net-imap library versions before 0. 4. 24, 0. 5. 14, and 0. 6. 4 allows a hostile IMAP server to cause a computational denial-of-service (DoS) attack during SCRAM-SHA1 or SCRAM-SHA256 authentication by sending a large iteration count value. This issue affects versions 0. 4. 0 to before 0.
AI Analysis
Technical Summary
The Ruby net-imap library implements IMAP client functionality. In affected versions, when authenticating using SCRAM-SHA1 or SCRAM-SHA256, the client processes a server-supplied iteration count value. A malicious IMAP server can send an excessively large iteration count, causing the client to perform excessive computation, resulting in a computational denial-of-service (DoS) attack. This vulnerability is identified as CWE-1322 (Use of Blocking Code in Single-threaded, Non-blocking Context) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue has been addressed by patches in versions 0.4.24, 0.5.14, and 0.6.4.
Potential Impact
A hostile IMAP server can exploit this vulnerability to cause a denial-of-service condition on the client by forcing it to perform expensive computations during authentication. This can degrade or halt client operations, impacting availability. There is no indication of privilege escalation, data disclosure, or code execution. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the Ruby net-imap library to version 0.4.24, 0.5.14, or 0.6.4 or later, where this vulnerability has been patched. No other mitigation or temporary workaround is indicated. Patch status is confirmed by the version information in the advisory.
CVE-2026-42256: CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context in ruby net-imap
Description
A vulnerability in the Ruby net-imap library versions before 0. 4. 24, 0. 5. 14, and 0. 6. 4 allows a hostile IMAP server to cause a computational denial-of-service (DoS) attack during SCRAM-SHA1 or SCRAM-SHA256 authentication by sending a large iteration count value. This issue affects versions 0. 4. 0 to before 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Ruby net-imap library implements IMAP client functionality. In affected versions, when authenticating using SCRAM-SHA1 or SCRAM-SHA256, the client processes a server-supplied iteration count value. A malicious IMAP server can send an excessively large iteration count, causing the client to perform excessive computation, resulting in a computational denial-of-service (DoS) attack. This vulnerability is identified as CWE-1322 (Use of Blocking Code in Single-threaded, Non-blocking Context) and CWE-770 (Allocation of Resources Without Limits or Throttling). The issue has been addressed by patches in versions 0.4.24, 0.5.14, and 0.6.4.
Potential Impact
A hostile IMAP server can exploit this vulnerability to cause a denial-of-service condition on the client by forcing it to perform expensive computations during authentication. This can degrade or halt client operations, impacting availability. There is no indication of privilege escalation, data disclosure, or code execution. No known exploits are reported in the wild.
Mitigation Recommendations
Upgrade the Ruby net-imap library to version 0.4.24, 0.5.14, or 0.6.4 or later, where this vulnerability has been patched. No other mitigation or temporary workaround is indicated. Patch status is confirmed by the version information in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T11:53:27.704Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ff93c0cbff5d86106e458c
Added to database: 5/9/2026, 8:06:24 PM
Last enriched: 5/9/2026, 8:21:35 PM
Last updated: 5/10/2026, 12:26:27 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.