{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-09T19:37:08Z",
  "bugzilla" : {
    "description" : "ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses",
    "id" : "2468495",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2468495"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-606",
  "details" : [ "A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol (IMAP) client functionality. A hostile server can exploit a quadratic time complexity issue in the `Net::IMAP::ResponseReader` when processing large responses containing numerous string literals. This can lead to the client's CPU being exhausted, resulting in a denial of service (DoS) attack." ],
  "package_state" : [ {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp21/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp21/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp22/system",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp22/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel7",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/system-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/zync-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Fix deferred",
    "package_name" : "3scale-amp2/zync-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby4.0",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Fix deferred",
    "package_name" : "ruby:4.0/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "ruby3.3",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "ruby3.4",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "fix_state" : "Affected",
    "package_name" : "ruby4.0",
    "cpe" : "cpe:/a:redhat:hummingbird:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-42245\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-42245\nhttps://github.com/ruby/net-imap/commit/6091f7d6b1f3514cafbfe39c76f2b5d73de3ca96\nhttps://github.com/ruby/net-imap/commit/88d95231fc8afef11c1f074453f7d75b68c9dfda\nhttps://github.com/ruby/net-imap/commit/de685f91a4a4cc75eb80da898c2bf8af08d34819\nhttps://github.com/ruby/net-imap/releases/tag/v0.4.24\nhttps://github.com/ruby/net-imap/releases/tag/v0.5.14\nhttps://github.com/ruby/net-imap/releases/tag/v0.6.4\nhttps://github.com/ruby/net-imap/security/advisories/GHSA-q2mw-fvj9-vvcw" ],
  "name" : "CVE-2026-42245",
  "mitigation" : {
    "value" : "To reduce the risk of a denial of service, ensure that applications using the Net::IMAP library are configured to connect exclusively to trusted IMAP servers. Avoid connecting to untrusted or unverified IMAP services, as a hostile server can exploit this vulnerability. This operational control helps prevent exposure to malicious IMAP response processing.",
    "lang" : "en:us"
  },
  "csaw" : false
}