Download: Stable · Snapshot | Docs | Changes | Wishlist
Up to and including version 0.70, PuTTY's terminal emulator supports remembering an unlimited number of combining characters in each character cell of the terminal. They may not be displayed very clearly, but PuTTY will at least try to display them, and will remember them for copy and paste purposes.
Unfortunately, this means that sending a long unbroken string of combining characters to the terminal causes it to allocate potentially unlimited amounts of memory. Moreover, the combining characters are stored as a linked list, leading to quadratic-time behaviour, so the terminal will slow down to the point of unusability as well.
In other words, any process that can arrange to write Unicode text output
to your terminal – even if it consists of printable characters only –
can perform a denial-of-service attack. This could be as simple as
leaving a text file somewhere for you to
As of 0.71, this is fixed by limiting each character cell to at most 32 combining characters. After that, the contents of the cell become U+FFFD REPLACEMENT CHARACTER with no combining characters at all.
CVE ID CVE-2019-9897 has been assigned for the collection of terminal DoS attacks fixed in 0.71, including this, vuln-terminal-dos-combining-chars-double-width-gtk and vuln-terminal-dos-one-column-cjk.