CVE-2026-56740

high

Description

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

References

https://github.com/jline/jline3/security/advisories/GHSA-47qp-hqvx-6r3f

https://github.com/jline/jline3/releases/tag/jline-3.30.14

https://github.com/jline/jline3/releases/tag/4.2.1

https://github.com/jline/jline3/releases/tag/4.0.16

https://github.com/jline/jline3/pull/2001

https://github.com/jline/jline3/pull/2000

https://github.com/jline/jline3/commit/934f09e6128cee33c2b13d42b6e859c1ee2d194b

https://github.com/jline/jline3/commit/4ee3a73849ffb9a85ec748e4e8cd8f6d81f84f40

https://github.com/jline/jline3/commit/0389f0ee6d0375901b602671ad5dafd4d1d4ee09

Details

Source: Mitre, NVD

Published: 2026-07-17

Updated: 2026-07-17

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Severity: High

CVSS v3

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Severity: High

EPSS

EPSS: 0.00511