CVE-2026-56741
Received Received - Intake

JLine Telnet Server CPU Exhaustion via Unbounded Terminal Dimensions

Vulnerability report for CVE-2026-56741, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS option, and TelnetIO.handleNAWS() in TelnetIO.java:856-879 reads client-supplied width and height as 16-bit unsigned integers and passes values such as 65535x65535 to setTerminalGeometry(), allowing an unauthenticated remote attacker to repeatedly alternate values and trigger continuous expensive rendering work that causes CPU exhaustion and denial of service. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
jline jline to 3.30.14 (inc)
jline jline to 4.0.16 (inc)
jline jline to 4.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

JLine is a Java library for handling console input. The vulnerability exists in the JLine3 Telnet server remote-telnet module before versions 3.30.14, 4.0.16, and 4.2.1. It fails to set a limit on terminal dimensions received via the Telnet NAWS option. An attacker can send values like 65535x65535, causing the system to perform continuous expensive rendering work, leading to CPU exhaustion and denial of service.

Detection Guidance

Detecting this vulnerability requires checking if your JLine library version is affected. Use commands like 'find / -name "jline*.jar" 2>/dev/null' to locate JLine JAR files, then run 'java -jar <jarfile> -version' to check the version. Affected versions are below 3.30.14, 4.0.16, and 4.2.1.

Impact Analysis

This vulnerability allows an unauthenticated remote attacker to cause CPU exhaustion on the affected system by repeatedly sending large terminal dimensions. This can lead to degraded performance, system slowdowns, or complete denial of service, disrupting normal operations.

Compliance Impact

This vulnerability causes CPU exhaustion and denial of service through continuous rendering work, which could disrupt system availability. For GDPR, this may impact the 'availability' principle under Article 5, potentially leading to compliance issues if personal data processing is interrupted. For HIPAA, it could affect the 'availability' requirement for protected health information systems.

Mitigation Strategies

Immediately upgrade JLine to version 3.30.14, 4.0.16, or 4.2.1 or later. If upgrading is not possible, disable the Telnet server module or restrict network access to it until patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56741. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart