CVE-2026-42256

Name of the Vulnerable Software and Affected Versions net-imap (affected versions not specified)

Description A hostile IMAP server can trigger a computational denial-of-service attack on the client process during authentication using SCRAM-SHA1 or SCRAM-SHA256. By sending an arbitrarily large PBKDF2 iteration count in the server-first-message, the server forces the client to execute an expensive OpenSSL::KDF.pbkdf2 hmac() call. Since this function is a blocking C extension that holds the Ruby Global VM Lock (a mechanism that ensures only one thread executes Ruby code at a time), it can freeze the entire Ruby VM and block all threads for several minutes, depending on the hardware and OpenSSL version.

Recommendations Upgrade to a patched version of net-imap and call Net::IMAP#authenticate using a max iterations keyword argument set to a safe value appropriate for the security context. Avoid using SCRAM-* mechanisms when authenticating to untrusted servers.