PT-2026-60885 · Jline · Jline
CVE-2026-56741
·
Published
2026-07-17
·
Updated
2026-07-18
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
JLine versions prior to 3.30.14
JLine versions prior to 4.0.16
JLine versions prior to 4.2.1
Description
The JLine3 Telnet server remote-telnet module fails to apply an upper bound to terminal dimensions received via the Telnet NAWS option. The
handleNAWS() function in TelIO.java reads client-supplied width and height as 16-bit unsigned integers and passes these values to setTerminalGeometry(). An unauthenticated remote attacker can repeatedly alternate these values, such as 65535x65535, to trigger continuous expensive rendering work, leading to CPU exhaustion and a denial of service.Recommendations
Update to version 3.30.14 or later.
Update to version 4.0.16 or later.
Update to version 4.2.1 or later.
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jline