Net::IMAP: Denial of Service via malformed command input
Summary
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to 0.6.5 and 0.5.15, several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. This vulnerability is fixed in 0.6.5 and 0.5.15. A flaw was found in Net::IMAP, a Ruby client library for the Internet Message Access Protocol (IMAP). This vulnerability allows a remote attacker to cause a denial of service by sending specially crafted input to certain Net::IMAP commands. When a raw string argument, derived from user-controlled input, is not properly validated, it can force subsequent commands to be absorbed, leading to a hung connection and preventing further processing until the connection is closed. A Moderate denial of service flaw was found in the Net::IMAP Ruby client library. This issue occurs when a remote attacker sends specially crafted input to certain Net::IMAP commands, causing the client connection to hang indefinitely. This can prevent further processing of IMAP commands until the connection is manually closed, impacting the availability of services relying on the Net::IMAP client. Red Hat severity: Moderate — CVSS 5.9 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-88. Fixed by RHSA-2026:33551, RHSA-2026:34293 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- ruby4-0-main-4.0.0-33.4.hum1
- ruby3-4-main-3.4.8-31.3.hum1
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
- ruby4-0-main-4.0.0-33.4.hum1
- ruby3-4-main-3.4.8-31.3.hum1
- RHSA-2026:33551
- RHSA-2026:34293
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.