Unrated severityNVD Advisory· Published Jul 18, 2026
Debian jline3: JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, an…
CVE-2026-56741
Description
JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS option, and TelnetIO.handleNAWS() in TelnetIO.java:856-879 reads client-supplied width and height as 16-bit unsigned integers and passes values such as 65535x65535 to setTerminalGeometry(), allowing an unauthenticated remote attacker to repeatedly alternate values and trigger continuous expensive rendering work that causes CPU exhaustion and denial of service. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.
Affected products
2- Range: 3.30.14, 4.0.16, 4.2.1
Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.