CVE-2026-42246

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.3.10 Net::IMAP versions prior to 0.4.24 Net::IMAP versions prior to 0.5.14 Net::IMAP versions prior to 0.6.4

Description A man-in-the-middle attacker can cause the starttls() function to return successfully without actually establishing a TLS connection. This occurs when an attacker injects a tagged OK response with a predictable tag before the client finishes sending the command, causing the command to complete before the response handler is registered. This results in a STARTTLS stripping attack, where the socket remains unencrypted, leading to the cleartext transmission of sensitive information.

Recommendations Update to version 0.3.10. Update to version 0.4.24. Update to version 0.5.14. Update to version 0.6.4. Connect to an implicit TLS port instead of using STARTTLS with a cleartext port. Explicitly verify that tls verified? is true before using the connection after calling starttls().