CVE-2026-56740
JLine: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.
| CWE | CWE-400 |
| Vendor | jline |
| Product | jline3 |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for jline jline3
Be the first to know when new high vulnerabilities affecting jline jline3 are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
jline / jline3
< 3.30.14 >= 4.0.0, < 4.0.16 >= 4.1.0, < 4.2.1
References
github.com: https://github.com/jline/jline3/security/advisories/GHSA-47qp-hqvx-6r3f github.com: https://github.com/jline/jline3/pull/2000 github.com: https://github.com/jline/jline3/pull/2001 github.com: https://github.com/jline/jline3/commit/0389f0ee6d0375901b602671ad5dafd4d1d4ee09 github.com: https://github.com/jline/jline3/commit/4ee3a73849ffb9a85ec748e4e8cd8f6d81f84f40 github.com: https://github.com/jline/jline3/commit/934f09e6128cee33c2b13d42b6e859c1ee2d194b github.com: https://github.com/jline/jline3/releases/tag/4.0.16 github.com: https://github.com/jline/jline3/releases/tag/4.2.1 github.com: https://github.com/jline/jline3/releases/tag/jline-3.30.14