CVE-2026-42245: net-imap: Quadratic complexity when reading response literals

Published May 4, 2026
·
Updated

Summary

Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack.

Details

For each literal in a response, ResponseReader rescans the entire growing response buffer. The regular expression that is used to scan the response buffer runs in linear time. With many literals, this becomes O(n²) total work. The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant.

Because the algorithmic complexity is super-linear, this bypasses protection from maxresponsesize: a response can stay well below the default size limit while still causing very large CPU cost.

Net::IMAP::ResponseReader runs continuously in the receiver thread until the connection closes.

Impact

This consumes disproportionate CPU time in the client's receiver thread. A hostile server could use this to exhaust the client's CPU for a denial of service attack.

For a response near the default maxresponsesize, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response. While the regexp is scanning, it retains the Global VM lock, preventing other threads from running.

Although other threads should not be completely blocked, their run time will be significantly impacted.

Mitigation

Upgrade to a patched version of net-imap that reads responses more efficiently. Do not connect to untrusted IMAP servers. When connecting to untrusted servers, a much smaller maxresponsesize (for example: 8KiB) will limit the impact. Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.

Other sources

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.

MITRE

Affected Software

6 affected componentsFixes available
rubygems/net-imap>=0<=0.4.23
0.4.24
rubygems/net-imap>=0.5.0<=0.5.13
0.5.14
rubygems/net-imap>=0.6.0<=0.6.3
0.6.4
ruby-lang Net\<0.4.24
ruby-lang Net\>=0.5.0<0.5.14
ruby-lang Net\>=0.6.0<0.6.4

Remediation

Patch Available

https://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96

Patch Available

https://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda

Patch Available

https://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819

Event History

May 4, 2026
Advisory Published
via GitHub·10:02 PM
Data Sourced
via GitHub·10:02 PM
DescriptionWeaknessAffected Software
May 9, 2026
CVE Published
via MITRE·07:37 PM
Data Sourced
via MITRE·07:37 PM
DescriptionWeakness
Data Sourced
via NVD·08:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-42245?

CVE-2026-42245 is classified as a denial of service (DoS) vulnerability due to its potential for CPU exhaustion.

2

How do I fix CVE-2026-42245?

To fix CVE-2026-42245, upgrade to net-imap versions 0.4.24, 0.5.14, or 0.6.4 or later.

3

What versions of net-imap are affected by CVE-2026-42245?

CVE-2026-42245 affects net-imap versions 0.4.23 and earlier, 0.5.13 and earlier, and 0.6.3 and earlier.

4

Who can exploit CVE-2026-42245?

CVE-2026-42245 can be exploited by a hostile server sending maliciously crafted responses to affected clients.

5

What is the impact of CVE-2026-42245 on systems using net-imap?

The impact of CVE-2026-42245 is a potential denial of service, which can render the affected application unresponsive.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203