CVE-2026-1605

CWE-400Uncontrolled Resource ConsumptionCWE-401Memory LeakCWE-772CWE-639Insecure Direct Object Reference9 documents7 sources
Severity
7.5HIGH
EPSS
0.1%
top 81.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Eclipse JettyEclipse Foundation Eclipse Jetty
Timeline
PublishedMar 5
Latest updateMar 16

Description

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

NVDeclipse/jetty12.0.012.0.32+1
Mavenorg.eclipse.jetty:jetty-server12.1.012.1.6+1
CVEListV5eclipse_foundation/eclipse_jetty12.0.012.0.31+1
Debianjetty12< 12.0.32-1

🔴Vulnerability Details

5
GHSA
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens2026-03-16
OSV
The Eclipse Jetty Server Artifact has a Gzip request memory leak2026-03-05
CVEList
CVE-2026-1605: In Eclipse Jetty, versions 122026-03-05
GHSA
The Eclipse Jetty Server Artifact has a Gzip request memory leak2026-03-05
OSV
CVE-2026-1605: In Eclipse Jetty, versions 122026-03-05

📋Vendor Advisories

2
Red Hat
org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests2026-03-05
Debian
CVE-2026-1605: jetty12 - In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler e...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-1605 Impact, Exploitability, and Mitigation Steps | Wiz