PT-2026-60884 · Jline · Jline

CVE-2026-56740

·

Published

2026-07-17

·

Updated

2026-07-18

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions JLine versions prior to 3.30.14 JLine versions prior to 4.0.16 JLine versions prior to 4.2.1
Description The JLine3 Telnet server remote-telnet module fails to limit the number of environment variables a client can inject using the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood unique variable pairs before the terminating IAC SE byte, which are then stored in a HashMap by the readNEVariables() function. This process can exhaust the JVM heap memory, leading to an OutOfMemoryError, a condition where the Java Virtual Machine cannot allocate more memory for objects.
Recommendations Update to version 3.30.14. Update to version 4.0.16. Update to version 4.2.1.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56740

Affected Products

Jline