{ "dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": { "cveId": "CVE-2026-42258", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-26T11:53:27.704Z", "datePublished": "2026-05-09T19:40:49.405Z", "dateUpdated": "2026-07-10T12:05:48.226Z" }, "containers": { "cna": { "title": "net-imap: Command Injection via unvalidated Symbol inputs", "problemTypes": [ { "descriptions": [ { "cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-93", "lang": "en", "description": "CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')", "type": "CWE" } ] } ], "metrics": [ { "cvssV4_0": { "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:P/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0" } } ], "references": [ { "name": "https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/ruby/net-imap/security/advisories/GHSA-75xq-5h9v-w6px" }, { "name": "https://github.com/ruby/net-imap/releases/tag/v0.4.24", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.4.24" }, { "name": "https://github.com/ruby/net-imap/releases/tag/v0.5.14", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.5.14" }, { "name": "https://github.com/ruby/net-imap/releases/tag/v0.6.4", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/ruby/net-imap/releases/tag/v0.6.4" } ], "affected": [ { "vendor": "ruby", "product": "net-imap", "versions": [ { "version": "< 0.4.24", "status": "affected" }, { "version": ">= 0.5.0, < 0.5.14", "status": "affected" }, { "version": ">= 0.6.0, < 0.6.4", "status": "affected" } ] } ], "providerMetadata": { "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-05-09T19:40:49.405Z" }, "descriptions": [ { "lang": "en", "value": "Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. This issue has been patched in versions 0.4.24, 0.5.14, and 0.6.4." } ], "source": { "advisory": "GHSA-75xq-5h9v-w6px", "discovery": "UNKNOWN" } }, "adp": [ { "metrics": [ { "other": { "type": "ssvc", "content": { "timestamp": "2026-05-11T14:57:16.635329Z", "id": "CVE-2026-42258", "options": [ { "Exploitation": "none" }, { "Automatable": "no" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "version": "2.0.3" } } } ], "title": "CISA ADP Vulnrichment", "providerMetadata": { "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-11T14:57:24.039Z" } }, { "affected": [ { "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux Server (v. 7 ELS)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:rhel_els:7" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux Server Optional (v. 7 ELS)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux_eus:10.0" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v. 10.0)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10.2" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 10)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_aus:8.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream AUS (v.8.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus_long_life:8.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_aus:8.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream AUS (v.8.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus_long_life:8.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:8.8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.8.8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_tus:8.8::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream TUS (v.8.8)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:9.2::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.2)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_e4s:9.4::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream E4S (v.9.4)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus:9.6::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream EUS (v.9.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:9::appstream" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux AppStream (v. 9)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux_eus:10.0" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:10.2" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:rhel_eus:9.6::crb" ], "defaultStatus": "affected", "product": "Red Hat CodeReady Linux Builder EUS (v.9.6)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:enterprise_linux:9::crb" ], "defaultStatus": "affected", "product": "Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:hummingbird:1" ], "defaultStatus": "affected", "product": "Red Hat Hardened Images", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_ai" ], "defaultStatus": "affected", "product": "Red Hat OpenShift AI (RHOAI)", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift:4" ], "defaultStatus": "affected", "product": "Red Hat OpenShift Container Platform 4", "vendor": "Red Hat" }, { "cpes": [ "cpe:/o:redhat:enterprise_linux:6" ], "defaultStatus": "unaffected", "product": "Red Hat Enterprise Linux 6", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:openshift_devspaces:3" ], "defaultStatus": "unaffected", "product": "Red Hat OpenShift Dev Spaces", "vendor": "Red Hat" }, { "cpes": [ "cpe:/a:redhat:red_hat_3scale_amp:2" ], "defaultStatus": "unknown", "product": "Red Hat 3scale API Management Platform 2", "vendor": "Red Hat" } ], "datePublic": "2026-05-09T19:40:49.405Z", "descriptions": [ { "lang": "en", "value": "A flaw was found in Net::IMAP, a Ruby library that provides Internet Message Access Protocol (IMAP) client functionality. This vulnerability allows a remote attacker to inject arbitrary IMAP commands. This is achieved by passing specially crafted symbol arguments to IMAP commands. Successful exploitation could lead to unauthorized actions on the IMAP server or client, potentially resulting in information disclosure or other integrity impacts." } ], "metrics": [ { "other": { "content": { "namespace": "https://access.redhat.com/security/updates/classification/", "value": "Important" }, "type": "Red Hat severity rating" } }, { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N", "version": "3.1" }, "format": "CVSS" } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-93", "description": "Improper Neutralization of CRLF Sequences ('CRLF Injection')", "lang": "en", "type": "CWE" } ] } ], "references": [ { "tags": [ "vdb-entry", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/security/cve/CVE-2026-42258" }, { "name": "RHBZ#2468498", "tags": [ "issue-tracking", "x_refsource_REDHAT" ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2468498" }, { "tags": [ "x_sadp-csaf-vex" ], "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-42258.json" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:37397" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35895" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33565" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33540" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33514" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33515" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35866" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35867" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:34076" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:35834" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33630" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:36099" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33462" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:37238" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33512" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33576" }, { "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "https://access.redhat.com/errata/RHSA-2026:33577" } ], "solutions": [ { "lang": "en", "value": "RHSA-2026:37397: Red Hat Enterprise Linux Server (v. 7 ELS), Red Hat Enterprise Linux Server Optional (v. 7 ELS)" }, { "lang": "en", "value": "RHSA-2026:35895: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)" }, { "lang": "en", "value": "RHSA-2026:33565: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)" }, { "lang": "en", "value": "RHSA-2026:33540: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)" }, { "lang": "en", "value": "RHSA-2026:33514: Red Hat Enterprise Linux AppStream (v. 8)" }, { "lang": "en", "value": "RHSA-2026:33515: Red Hat Enterprise Linux AppStream (v. 8)" }, { "lang": "en", "value": "RHSA-2026:35866: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4)" }, { "lang": "en", "value": "RHSA-2026:35867: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6)" }, { "lang": "en", "value": "RHSA-2026:34076: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8)" }, { "lang": "en", "value": "RHSA-2026:35834: Red Hat Enterprise Linux AppStream E4S (v.9.2)" }, { "lang": "en", "value": "RHSA-2026:33630: Red Hat Enterprise Linux AppStream E4S (v.9.4)" }, { "lang": "en", "value": "RHSA-2026:36099: Red Hat Enterprise Linux AppStream E4S (v.9.4)" }, { "lang": "en", "value": "RHSA-2026:33462: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)" }, { "lang": "en", "value": "RHSA-2026:37238: Red Hat Enterprise Linux AppStream EUS (v.9.6)" }, { "lang": "en", "value": "RHSA-2026:33512: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)" }, { "lang": "en", "value": "RHSA-2026:33576: Red Hat Enterprise Linux AppStream (v. 9)" }, { "lang": "en", "value": "RHSA-2026:33577: Red Hat Enterprise Linux AppStream (v. 9)" } ], "timeline": [ { "lang": "en", "time": "2026-05-09T20:01:01.698Z", "value": "Reported to Red Hat." }, { "lang": "en", "time": "2026-05-09T19:40:49.405Z", "value": "Made public." } ], "title": "ruby/net-imap: ruby: Net::IMAP: IMAP Command Injection via Symbol Arguments", "workarounds": [ { "lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability." } ], "x_adpType": "supplier", "x_generator": { "engine": "sadp-cli 1.0.0" }, "providerMetadata": { "orgId": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c", "shortName": "redhat-SADP", "dateUpdated": "2026-07-10T12:05:48.226Z" } } ] } }