Skip to main content

net-imap CVE-2026-42245

LOW
Inefficient Algorithmic Complexity (CWE-407)
2026-05-04 https://github.com/ruby/net-imap GHSA-q2mw-fvj9-vvcw
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
CVSS changed
May 09, 2026 - 20:22 NVD
2.3 (LOW)
Source Code Evidence Fetched
May 04, 2026 - 22:30 vuln.today
Analysis Generated
May 04, 2026 - 22:30 vuln.today

DescriptionGitHub Advisory

Summary

Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack.

Details

For each literal in a response, ResponseReader rescans the entire growing response buffer. The regular expression that is used to scan the response buffer runs in linear time. With many literals, this becomes O(n²) total work. The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant.

Because the algorithmic complexity is super-linear, this bypasses protection from max_response_size: a response can stay well below the default size limit while still causing very large CPU cost.

Net::IMAP::ResponseReader runs continuously in the receiver thread until the connection closes.

Impact

This consumes disproportionate CPU time in the client's receiver thread. A hostile server could use this to exhaust the client's CPU for a denial of service attack.

For a response near the default max_response_size, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response. While the regexp is scanning, it retains the Global VM lock, preventing other threads from running.

Although other threads should not be _completely_ blocked, their run time will be significantly impacted.

Mitigation

  • Upgrade to a patched version of net-imap that reads responses more efficiently.
  • Do not connect to untrusted IMAP servers.
  • When connecting to untrusted servers, a _much_ smaller max_response_size (for example: 8KiB) will limit the impact. Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.

AnalysisAI

net-imap ResponseReader exhibits quadratic time complexity O(n²) when parsing IMAP responses containing multiple string literals, allowing hostile IMAP servers to exhaust client CPU and block other threads via denial of service. A maliciously crafted response can consume 100-200ms per regex scan repeated hundreds of thousands of times per megabyte, holding the Global VM lock and starving concurrent threads despite staying within max_response_size limits. Vendor-released patches available in versions 0.4.24, 0.5.14, and 0.6.4.

Technical ContextAI

Net::IMAP::ResponseReader is the Ruby standard library's IMAP protocol parser. The vulnerability stems from CWE-407 (inefficient algorithm) in the response buffer parsing logic. For each literal string in an IMAP server response, the code rescans the entire accumulated buffer using a regular expression anchored to detect the literal size marker (e.g., {1024} ). This linear-time regex scan runs once per literal, creating quadratic total complexity. The regex /\{(\d+)\}\r\n\z/n operates on an ever-growing buffer, becoming progressively more expensive. Additionally, the regex retains Ruby's Global VM lock during execution, preventing parallel thread execution even when other threads are ready to run. The fix optimizes by only scanning the trailing bytes of each appended line (constant time operation) and caching the literal size state.

RemediationAI

Upgrade net-imap to version 0.4.24 (for 0.4.x branch), 0.5.14 (for 0.5.x branch), or 0.6.4 (for 0.6.x branch) or later. The patches are available in RubyGems and GitHub releases. For applications that cannot immediately upgrade, implement a mitigating configuration: reduce max_response_size to 8 KiB or smaller when connecting to untrusted IMAP servers (trade-off: cannot fetch unpaginated message bodies larger than the limit, suitable for control operations). Avoid connecting to untrusted IMAP servers if possible. Patched code is available in commits 6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96 and 88d95231fc8afef11c1f074453f7d75b68c9dfda on the main branch. See https://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw for detailed remediation guidance.

Share

CVE-2026-42245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy