CVE-2026-56740
Received Received - Intake

JLine Telnet Server Heap Exhaustion via Environment Variables

Vulnerability report for CVE-2026-56740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
jline jline to 3.30.14 (inc)
jline jline to 4.0.16 (inc)
jline jline to 4.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in the JLine Java library's Telnet server module. It allows unauthenticated attackers to send excessive environment variables via the Telnet NEW-ENVIRON option, causing the server to store them in memory until the JVM runs out of heap space and crashes with an OutOfMemoryError.

Detection Guidance

Detect this vulnerability by monitoring for excessive memory usage or OutOfMemoryError logs in Java applications using JLine's Telnet server. Check for unusual network traffic patterns targeting Telnet ports (typically 23) with a high volume of NEW-ENVIRON requests.

Impact Analysis

If you use a vulnerable version of JLine's Telnet server, an attacker could crash your application by sending too many environment variables, leading to denial of service. This could disrupt services relying on the Telnet server.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling denial-of-service attacks that disrupt system availability. An attacker could exploit the flaw to exhaust JVM heap memory, causing service outages that may violate availability requirements in these regulations.

Mitigation Strategies

Upgrade JLine to versions 3.30.14, 4.0.16, or 4.2.1 or later. If upgrading is not immediately possible, disable the Telnet server module in JLine or restrict access to the Telnet port via firewall rules until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart