CVE-2026-56740 in JLineinfo

Summary

by MITRE • 07/18/2026

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability identified in JLine versions prior to 3.30.14, 4.0.16, and 4.2.1 represents a critical memory exhaustion flaw within the Telnet server implementation of the JLine3 library. This issue specifically affects the remote-telnet module which processes environment variables through the Telnet NEW-ENVIRON option, creating a pathway for malicious actors to exploit memory allocation patterns in the underlying Java Virtual Machine. The vulnerability stems from insufficient input validation and resource management within the TelnetIO.readNEVariables() method located at TelnetIO.java:1127-1180, where each environment variable pair received from a remote client is stored without any bounds checking or limiting mechanisms.

The technical implementation of this flaw allows an unauthenticated attacker to send a specially crafted Telnet NEW-ENVIRON sequence containing an excessive number of unique variable pairs before the terminating IAC SE byte. Each variable pair gets stored in a HashMap maintained by ConnectionData, effectively creating a memory leak scenario where the JVM heap grows uncontrollably with each malicious connection attempt. This particular vulnerability maps to CWE-400, specifically CWE-400: Uncontrolled Resource Consumption, which encompasses issues related to insufficient limits on resource allocation that can lead to denial of service conditions. The flaw demonstrates characteristics of a resource exhaustion attack pattern where the attacker leverages legitimate protocol features to consume system resources beyond acceptable thresholds.

The operational impact of this vulnerability extends beyond simple denial of service scenarios as it can potentially compromise entire application availability and stability. When an attacker successfully floods the HashMap with thousands or millions of unique variable pairs, the JVM eventually exhausts its heap memory allocation, resulting in OutOfMemoryError exceptions that can crash the application or render it unresponsive to legitimate users. This vulnerability is particularly dangerous in server environments where JLine3 Telnet services are exposed to untrusted networks, as it requires no authentication credentials and can be exploited by anyone with network access to the affected service. The attack vector aligns with ATT&CK technique T1499.004, specifically "Endpoint Denial of Service: File System Consumption," although adapted for memory resource exhaustion rather than disk space depletion.

Mitigation strategies should focus on implementing strict bounds checking and resource limiting within the Telnet server implementation. The fix implemented in versions 3.30.14, 4.0.16, and 4.2.1 includes proper validation of environment variable counts and memory allocation limits to prevent unlimited HashMap growth. Organizations should prioritize upgrading to patched versions immediately while considering additional defensive measures such as network-level access controls, rate limiting for Telnet connections, and monitoring for unusual memory consumption patterns in affected systems. The vulnerability highlights the importance of implementing proper input sanitization and resource management practices, particularly when handling data from untrusted sources in network protocols, and serves as a reminder that even legitimate protocol features can become security risks when not properly bounded and validated against malicious usage patterns.

Responsible

GitHub M

Reservation

06/22/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!