High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 5, 2026

CVE-2026-1605

Description

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.

This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Eclipse Jetty's GzipHandler leaks JDK Inflater objects off-heap when processing compressed requests that receive uncompressed responses, leading to out-of-memory crashes.

Vulnerability

In Eclipse Jetty versions 12.0.0 through 12.0.31 and 12.1.0 through 12.0.5, the GzipHandler class contains a memory leak vulnerability. When a compressed HTTP request (with Content-Encoding: gzip) is processed and the corresponding response is not compressed (i.e., without Accept-Encoding: gzip), a JDK Inflater object is allocated for decompression but is never released back into the pool. This happens because the release mechanism is incorrectly tied to the compressed response path, so the inflater leak persists [1][4].

Exploitation

An attacker can trigger this vulnerability remotely by sending a crafted gzip-compressed HTTP request to a Jetty server that uses GzipHandler. No authentication is required, and the attack can be performed over the network. The leak occurs on every such request; repeated attacks will accumulate leaked Inflater objects, which consume both Java heap and native (off-heap) memory [4].

Impact

Over time, the sustained memory leak leads to off-heap OutOfMemoryError, causing the Jetty server to crash. This is a denial-of-service (DoS) vulnerability. The issue is reported in the Jetty project's security advisory as GHSA-xxh7-fcf3-rj7f [4].

Mitigation

At the time of publication, no official patch is available. The recommended workaround is to disable GzipHandler entirely until a fixed release is deployed [4].

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.eclipse.jetty:jetty-serverMaven	>= 12.1.0, < 12.1.6	12.1.6
org.eclipse.jetty:jetty-serverMaven	>= 12.0.0, < 12.0.32	12.0.32

Affected products

Eclipse/Jettyllm-fuzzy
Range: >=12.0.0 <=12.0.31, >=12.1.0 <=12.0.5
Eclipse Foundation/Eclipse Jettyv5
Range: 12.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-xxh7-fcf3-rj7fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-1605ghsaADVISORY
github.com/jetty/jetty.project/issues/14260ghsaWEB
github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7fghsaWEB
gitlab.eclipse.org/security/cve-assignment/-/issues/79ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000