net-imap vulnerable to STARTTLS stripping via invalid response timing
Summary
| CVE | CVE-2026-42246 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-09 20:16:28 UTC |
| Updated | 2026-07-10 12:16:52 UTC |
| Description | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4. |
Risk And Classification
Primary CVSS: v4.0 7.6 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000380000 probability, percentile 0.114180000 (date 2026-05-19)
Problem Types: CWE-392 | CWE-393 | CWE-636 | CWE-754 | CWE-841 | CWE-325 | CWE-392 CWE-392: Missing Report of Error Condition | CWE-393 CWE-393: Return of Wrong Status Code | CWE-754 CWE-754: Improper Check for Unusual or Exceptional Conditions | CWE-636 CWE-636: Not Failing Securely ('Failing Open') | CWE-841 CWE-841: Improper Enforcement of Behavioral Workflow | CWE-325 Missing Cryptographic Step
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 7.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 7.6 | HIGH | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | ADP | CVSS | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.4 | HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:37397 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33512 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:36099 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33577 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33515 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33551 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33462 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/ruby/net-imap/releases/tag/v0.5.14 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:33565 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33630 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35866 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33514 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42246.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:33576 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618 | [email protected] | github.com | Patch |
| access.redhat.com/errata/RHSA-2026:33721 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35834 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/ruby/net-imap/releases/tag/v0.4.24 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:35867 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/ruby/net-imap/releases/tag/v0.3.10 | [email protected] | github.com | Release Notes |
| access.redhat.com/errata/RHSA-2026:33552 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c | [email protected] | github.com | Patch |
| github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp | [email protected] | github.com | Mitigation, Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:34076 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:35895 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:33540 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:37238 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-42246 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-05-09T20:01:04.782Z | Reported to Red Hat. |
| ADP | 2026-05-09T19:33:17.880Z | Made public. |
Solutions
ADP: RHSA-2026:37397: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)
ADP: RHSA-2026:35895: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)
ADP: RHSA-2026:33565: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:33540: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)
ADP: RHSA-2026:33514: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:33515: Red Hat Enterprise Linux AppStream (v. 8)
ADP: RHSA-2026:35866: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)
ADP: RHSA-2026:35867: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)
ADP: RHSA-2026:34076: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)
ADP: RHSA-2026:35834: Red Hat Enterprise Linux AppStream E4S (v.9.2)
ADP: RHSA-2026:33630: Red Hat Enterprise Linux AppStream E4S (v.9.4)
ADP: RHSA-2026:36099: Red Hat Enterprise Linux AppStream E4S (v.9.4)
ADP: RHSA-2026:33462: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:37238: Red Hat Enterprise Linux AppStream EUS (v.9.6)
ADP: RHSA-2026:33512: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)
ADP: RHSA-2026:33576: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:33577: Red Hat Enterprise Linux AppStream (v. 9)
ADP: RHSA-2026:33721: Red Hat Hardened Images
ADP: RHSA-2026:33552: Red Hat Hardened Images
ADP: RHSA-2026:33551: Red Hat Hardened Images
Workarounds
ADP: As a temporary workaround, Users are strongly encouraged to switch from explicit TLS upgrading mechanisms (STARTTLS on port 143) to Implicit TLS connections (such as IMAPS on port 993). By enforcing implicit TLS via port 993 from the initial socket creation step, the connection is mathematically protected against packet injection and connection degradation tactics entirely, bypassing the vulnerable implementation path.