PatchSiren cyber security CVE debrief
CVE-2026-1605 Eclipse CVE debrief
CVE-2026-1605 is a high-severity vulnerability in Eclipse Jetty, specifically affecting the GzipHandler component. The vulnerability occurs when a compressed HTTP request with Content-Encoding: gzip is processed, and the corresponding response is not compressed. This causes a resource leak because the JDK Inflater is allocated for decompression but not released, as the release mechanism is tied to the compressed response. The vulnerability impacts Jetty versions 12.0.0-12.0.31 and 12.1.0-12.1.6. Users should update to a patched version to mitigate this issue.
- Vendor
- Eclipse
- Product
- Jetty
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-05
- Advisory updated
- 2026-06-30
Who should care
This vulnerability affects users of Eclipse Jetty, particularly those using versions 12.0.0-12.0.31 and 12.1.0-12.1.6. It is crucial for administrators and developers using Jetty to assess their exposure and take necessary actions to protect their systems.
Technical summary
The GzipHandler in Eclipse Jetty is vulnerable to a resource leak when handling compressed HTTP requests. Specifically, when a request with Content-Encoding: gzip is processed and the response is not compressed, the JDK Inflater allocated for decompression is not released. This issue arises because the release mechanism for the Inflater is tied to the compression of the response. As a result, the Inflater remains allocated, leading to a resource leak. This vulnerability has a CVSS score of 7.5 and is classified as HIGH severity.
Defensive priority
High priority should be given to patching this vulnerability, as it can lead to resource exhaustion if exploited repeatedly. Administrators should prioritize updating Jetty to a version that includes a fix for this issue.
Recommended defensive actions
- Update Eclipse Jetty to a version that patches this vulnerability (e.g., Jetty 12.0.32 or 12.1.7).
- Review and adjust configurations to ensure that responses are properly compressed when necessary.
- Monitor Jetty instances for unusual resource usage patterns that could indicate exploitation attempts.
- Implement additional monitoring to detect potential exploitation attempts.
- Consider applying compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation.
Evidence notes
The CVE-2026-1605 vulnerability was publicly disclosed on March 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects Eclipse Jetty versions 12.0.0-12.0.31 and 12.1.0-12.1.6. Multiple sources, including the NVD and Red Hat advisories, confirm the details of this vulnerability.
Official resources
-
CVE-2026-1605 CVE record
CVE.org
-
CVE-2026-1605 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.