PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-1605 Eclipse CVE debrief

CVE-2026-1605 is a high-severity vulnerability in Eclipse Jetty, specifically affecting the GzipHandler component. The vulnerability occurs when a compressed HTTP request with Content-Encoding: gzip is processed, and the corresponding response is not compressed. This causes a resource leak because the JDK Inflater is allocated for decompression but not released, as the release mechanism is tied to the compressed response. The vulnerability impacts Jetty versions 12.0.0-12.0.31 and 12.1.0-12.1.6. Users should update to a patched version to mitigate this issue.

Vendor
Eclipse
Product
Jetty
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-05
Original CVE updated
2026-06-30
Advisory published
2026-03-05
Advisory updated
2026-06-30

Who should care

This vulnerability affects users of Eclipse Jetty, particularly those using versions 12.0.0-12.0.31 and 12.1.0-12.1.6. It is crucial for administrators and developers using Jetty to assess their exposure and take necessary actions to protect their systems.

Technical summary

The GzipHandler in Eclipse Jetty is vulnerable to a resource leak when handling compressed HTTP requests. Specifically, when a request with Content-Encoding: gzip is processed and the response is not compressed, the JDK Inflater allocated for decompression is not released. This issue arises because the release mechanism for the Inflater is tied to the compression of the response. As a result, the Inflater remains allocated, leading to a resource leak. This vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.

Defensive priority

High priority should be given to patching this vulnerability, as it can lead to resource exhaustion if exploited repeatedly. Administrators should prioritize updating Jetty to a version that includes a fix for this issue.

Recommended defensive actions

  • Update Eclipse Jetty to a version that patches this vulnerability (e.g., Jetty 12.0.32 or 12.1.7).
  • Review and adjust configurations to ensure that responses are properly compressed when necessary.
  • Monitor Jetty instances for unusual resource usage patterns that could indicate exploitation attempts.
  • Implement additional monitoring to detect potential exploitation attempts.
  • Consider applying compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation.

Evidence notes

The CVE-2026-1605 vulnerability was publicly disclosed on March 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects Eclipse Jetty versions 12.0.0-12.0.31 and 12.1.0-12.1.6. Multiple sources, including the NVD and Red Hat advisories, confirm the details of this vulnerability.

Official resources

This article is AI-assisted and based on the supplied source corpus.