CVE-2026-42245

Name of the Vulnerable Software and Affected Versions Net::IMAP (affected versions not specified)

Description Net::IMAP::ResponseReader exhibits quadratic time complexity when processing large responses containing numerous string literals. A hostile server can send specially crafted responses that force the ResponseReader to rescan the entire growing response buffer for each literal, leading to excessive CPU consumption and a denial of service. This algorithmic complexity allows the issue to bypass max response size protections, as a response can remain below the size limit while still incurring high CPU costs. Because the process retains the Global VM lock during scanning, other threads are significantly impacted.

Recommendations Upgrade to a patched version of net-imap. Avoid connecting to untrusted IMAP servers. When connecting to untrusted servers, reduce max response size to a much smaller value, such as 8KiB, to limit the impact.