CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-47241

lowcovered by 2 sourcesfirst seen 2026-06-09
Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed. Details Net::IMAP::RawData was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trailing-marker check uses an incorrect regex which does not match {0} or {0+}, so an attacker-controlled seach criteria or fetch attr string ending in {0} or {0+} passes validation and is sent verbatim. Since these arguments are sent as the last argument in the command, they will be followed by CRLF. Although the CRLF was intended to end the command, the server will interpret it as part of a literal prefix. This consumes the next command the client puts on the socket as additional arguments to the current command. This affects the following command's arguments: - criteria for #search and #uid_search - search_keys for #sort, #thread, #uid_sort, and #uid_thread - attr for #fetch and #uid_fetch The command which contained the attacker's raw data will not be able to complete until the _next_ command is issued. If commands are only sent from single thread, the first command will hang until the connection times out (most likely by the server closing the connection). If a second command is sent _(from another thread)_, this would allow the server to respond to the first command. This combined command _will_ be invalid: - The {0}\r\n literal prohibits other arguments (such as a quoted string) from spanning both commands - It will be sent without the space delimiter w

CSIRTS triage

What
There is a denial of service vulnerability via incomplete raw argument validation.
Who is affected
Deployments using affected IMAP services.
Urgency
Remediation is necessary but the severity is currently unknown.
Action
Monitor for updates regarding CVE-2026-47241.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-47241

Get an email if CVE-2026-47241 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-47241

CVE.org record

Embed the live status

CVE-2026-47241 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-47241 status](https://www.csirts.com/badge/CVE-2026-47241)](https://www.csirts.com/cve/CVE-2026-47241)