CVE-2026-1605
HIGHCVSS v3.1: 7.5 · EPSS: 0.0037 (28.6 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 7.5 v3.1 · NVD
- EPSS
- 0.0037 (28.6 percentile) · FIRST.org
- CISA KEV
- No
- Type
- Resource Exhaustion (DoS), Memory Leak · NVD CWE
- Attack conditions (CVSS vector)
- NetworkNo privilegesNo user interaction · Source: NVD Vector
- Affected vendors
- eclipse
- Published
- 2026-03-05 · Modified: 2026-06-30
- References
- Jump to references (8)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.
- Vendor advisory https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
- Distro https://access.redhat.com/errata/RHSA-2026:21772
- Distro https://access.redhat.com/errata/RHSA-2026:25089
- Distro https://access.redhat.com/errata/RHSA-2026:25125
- Distro https://access.redhat.com/errata/RHSA-2026:25126
- Distro https://access.redhat.com/errata/RHSA-2026:8509
- Distro https://access.redhat.com/security/cve/CVE-2026-1605
- Distro https://bugzilla.redhat.com/show_bug.cgi?id=2444815