PT-2026-60884 · Jline · Jline
CVE-2026-56740
·
Published
2026-07-17
·
Updated
2026-07-18
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
JLine versions prior to 3.30.14
JLine versions prior to 4.0.16
JLine versions prior to 4.2.1
Description
The JLine3 Telnet server remote-telnet module fails to limit the number of environment variables a client can inject using the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood unique variable pairs before the terminating IAC SE byte, which are then stored in a HashMap by the
readNEVariables() function. This process can exhaust the JVM heap memory, leading to an OutOfMemoryError, a condition where the Java Virtual Machine cannot allocate more memory for objects.Recommendations
Update to version 3.30.14.
Update to version 4.0.16.
Update to version 4.2.1.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jline