Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

PGV-2652468

Disclosed on July 17, 2026 (updated July 18, 2026)

Vulnerability Overview

PGV-2652468 is a category 2 vulnerabilty that affects the following packages:

  • debian/jline source, bookworm, versions (all)
  • debian/jline source, bullseye, versions (all)
  • debian/jline source, forky, versions (all)
  • debian/jline source, trixie, versions (all)
  • debian/jline2 source, bookworm, versions (all)
  • debian/jline2 source, bullseye, versions (all)
  • debian/jline2 source, forky, versions (all)
  • debian/jline2 source, trixie, versions (all)
  • debian/jline3 source, bookworm, versions (all)
  • debian/jline3 source, bullseye, versions (all)
  • debian/jline3 source, forky, versions (all)
  • debian/jline3 source, trixie, versions (all)

Risk Assessment

The risk assessment shows that this vulnerability is exlpoited by a external attacker. An unauthorized external actor who attempts to exploit this vulnerability without legitimate access.

The impact is contained to the application. Exploitation remains confined to the application and cannot affect the host environment or external systems.

The threat damage is caused by a denial of service. Exploitation can completely deny access to the application, resulting in a full outage.

Vulnerability Details

JLine is a Java library for handling console input. Prior to 3.30.14, 4.0.16, and 4.2.1, the JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option, and TelnetIO.readNEVariables() in TelnetIO.java:1127-1180 stores each variable pair in a HashMap held by ConnectionData, allowing an unauthenticated attacker to flood unique variable pairs before the terminating IAC SE byte and exhaust JVM heap memory with an OutOfMemoryError. This issue is fixed in versions 3.30.14, 4.0.16, and 4.2.1.

Common Weakness Enumerations

  • CWE-400 - Uncontrolled Resource Consumption
Your Risk Profile
Network Exposure
External
Accessable from the public internet
Access Interface
WebBrowser
Primarily web-based applications
Service Outage
Disruptive
Operations would be impacted
Data Breach
Disruptive
Operations would be impacted
Data Tampering
Disruptive
Operations would be impacted
Customize
Additional Identifiers
  • DEBIAN-CVE-2026-56740