CVE-2026-42258
Published: May 20, 2026Last modified: May 21, 2026
Description
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack Vector | LOCAL |
| Attack complexity | HIGH |
| Privileges required | LOW |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | HIGH |
| Availability impact | LOW |
| Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 25 LTS | ruby-net-imap | Fixed (0.5.14-r0) |
| Stream | ruby-net-imap | Fixed (0.5.14-r0) |
References
- https://access.redhat.com/errata/RHSA-2026:33462
- https://access.redhat.com/errata/RHSA-2026:33512
- https://access.redhat.com/errata/RHSA-2026:33514
- https://access.redhat.com/errata/RHSA-2026:33515
- https://access.redhat.com/errata/RHSA-2026:33540
- https://access.redhat.com/errata/RHSA-2026:33565
- https://access.redhat.com/errata/RHSA-2026:33576
- https://access.redhat.com/errata/RHSA-2026:33577
- https://access.redhat.com/errata/RHSA-2026:33630
- https://access.redhat.com/security/cve/CVE-2026-42258
- https://bugzilla.redhat.com/show_bug.cgi?id=2468498
- https://github.com/ruby/net-imap/releases/tag/v0.4.24
- https://github.com/ruby/net-imap/releases/tag/v0.5.14
- https://github.com/ruby/net-imap/releases/tag/v0.6.4
- https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42258.json