ByteOS Network

CVE Vulnerability Details :

CVE-2026-42246

PUBLISHED

More Info Official Page

Assigner-GitHub_M

Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa

Published At-09 May, 2026 | 19:33

Updated At-12 May, 2026 | 02:29

▼CVE Numbering Authority (CNA)

net-imap vulnerable to STARTTLS stripping via invalid response timing

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS. This issue has been patched in versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4.

Affected Products

Vendor

Ruby

Product

net-imap

Versions

Affected

< 0.3.10
>= 0.4.0, < 0.4.24
>= 0.5.0, < 0.5.14
>= 0.6.0, < 0.6.4

Problem Types

Type	CWE ID	Description
CWE	CWE-392	CWE-392: Missing Report of Error Condition
CWE	CWE-393	CWE-393: Return of Wrong Status Code
CWE	CWE-754	CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE	CWE-636	CWE-636: Not Failing Securely ('Failing Open')
CWE	CWE-841	CWE-841: Improper Enforcement of Behavioral Workflow

Type: CWE

CWE ID: CWE-392

Description: CWE-392: Missing Report of Error Condition

Type: CWE

CWE ID: CWE-393

Description: CWE-393: Return of Wrong Status Code

Type: CWE

CWE ID: CWE-754

Description: CWE-754: Improper Check for Unusual or Exceptional Conditions

Type: CWE

CWE ID: CWE-636

Description: CWE-636: Not Failing Securely ('Failing Open')

Type: CWE

CWE ID: CWE-841

Description: CWE-841: Improper Enforcement of Behavioral Workflow

Metrics

Version	Base score	Base severity	Vector
4.0	7.6	HIGH	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Version: 4.0

Base score: 7.6

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

References

Hyperlink	Resource
https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp	x_refsource_CONFIRM
https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618	x_refsource_MISC
https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e	x_refsource_MISC
https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c	x_refsource_MISC
https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da	x_refsource_MISC
https://github.com/ruby/net-imap/releases/tag/v0.3.10	x_refsource_MISC
https://github.com/ruby/net-imap/releases/tag/v0.4.24	x_refsource_MISC
https://github.com/ruby/net-imap/releases/tag/v0.5.14	x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/security/advisories/GHSA-vcgp-9326-pqcp

Resource:

x_refsource_CONFIRM

Hyperlink: https://github.com/ruby/net-imap/commit/0ede4c40b1523dfeaf95777b2678e54cc0fd9618

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/commit/24a4e770b43230286a05aa2a9746cdbb3eb8485e

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/commit/97e2488fb5401a1783bddd959dde007d9fbce42c

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/commit/f79d35bf5833f186e81044c57c843eda30c873da

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/releases/tag/v0.3.10

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/releases/tag/v0.4.24

Resource:

x_refsource_MISC

Hyperlink: https://github.com/ruby/net-imap/releases/tag/v0.5.14

Resource:

x_refsource_MISC

▼Authorized Data Publishers (ADP)

CISA ADP Vulnrichment

Affected Products

Affected

Problem Types

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References

Affected Products

Metrics

Metrics Other Info

Impacts

Solutions

Configurations

Workarounds

Exploits

Credits

Timeline

Replaced By

Rejected Reason

References