{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-1605","assignerOrgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","state":"PUBLISHED","assignerShortName":"eclipse","dateReserved":"2026-01-29T10:58:31.963Z","datePublished":"2026-03-05T09:39:01.315Z","dateUpdated":"2026-06-30T12:07:07.502Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Eclipse Jetty","repo":"https://github.com/jetty/jetty.project","vendor":"Eclipse Foundation","versions":[{"lessThanOrEqual":"12.0.31","status":"affected","version":"12.0.0","versionType":"semver"},{"lessThanOrEqual":"12.1.5","status":"affected","version":"12.1.0.","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Gleb Sizov (@glebashnik)"},{"lang":"en","type":"finder","value":"Bjørn Christian Seime (@bjorncs)"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<p>In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class <code>GzipHandler</code> exposes a vulnerability when a compressed HTTP request, with <code>Content-Encoding: gzip</code>, is processed and the corresponding response is not compressed.</p>\n<p>This happens because the JDK <code>Inflater</code> is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.</p>"}],"value":"In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\n\n\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-400","description":"CWE-400 Uncontrolled Resource Consumption","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-401","description":"CWE-401 Missing Release of Memory after Effective Lifetime","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"e51fbebd-6053-4e49-959f-1b94eeb69a2c","shortName":"eclipse","dateUpdated":"2026-03-05T09:39:01.315Z"},"references":[{"url":"https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f"}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-03-05T14:46:07.126962Z","id":"CVE-2026-1605","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-05T14:46:16.289Z"}},{"affected":[{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8"],"defaultStatus":"affected","product":"Red Hat JBoss EAP 8.1 for RHEL 8","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9"],"defaultStatus":"affected","product":"Red Hat JBoss EAP 8.1 for RHEL 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4.4::el9"],"defaultStatus":"affected","product":"HawtIO HawtIO 4.4.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_broker:7.14"],"defaultStatus":"affected","product":"Red Hat AMQ Broker 7.14.0","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform 8.1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.28::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.28","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:ocp_tools"],"defaultStatus":"affected","product":"OpenShift Developer Tools and Services","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"unaffected","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:service_registry:2"],"defaultStatus":"unaffected","product":"Red Hat build of Apicurio Registry 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"unaffected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:2"],"defaultStatus":"unaffected","product":"Red Hat build of Debezium 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"unaffected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_data_grid:8"],"defaultStatus":"unaffected","product":"Red Hat Data Grid 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"unaffected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"unaffected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:7"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"unaffected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_web_server:6"],"defaultStatus":"unaffected","product":"Red Hat JBoss Web Server 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:offline_knowledge_portal:1"],"defaultStatus":"unaffected","product":"Red Hat Offline Knowledge Portal","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"],"defaultStatus":"unaffected","product":"Red Hat Process Automation 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:satellite:6"],"defaultStatus":"unaffected","product":"Red Hat Satellite 6","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:red_hat_single_sign_on:7"],"defaultStatus":"unaffected","product":"Red Hat Single Sign-On 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2"],"defaultStatus":"unaffected","product":"streams for Apache Kafka 2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"unaffected","product":"streams for Apache Kafka 3","vendor":"Red Hat"}],"datePublic":"2026-03-05T09:39:01.315Z","descriptions":[{"lang":"en","value":"A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-772","description":"Missing Release of Resource after Effective Lifetime","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-1605"},{"name":"RHBZ#2444815","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2444815"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1605.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25125"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25089"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:8509"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25126"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:21772"}],"solutions":[{"lang":"en","value":"RHSA-2026:25125: Red Hat JBoss EAP 8.1 for RHEL 8, Red Hat JBoss EAP 8.1 for RHEL 9"},{"lang":"en","value":"RHSA-2026:25089: HawtIO HawtIO 4.4.0"},{"lang":"en","value":"RHSA-2026:8509: Red Hat AMQ Broker 7.14.0"},{"lang":"en","value":"RHSA-2026:25126: Red Hat JBoss Enterprise Application Platform 8.1"},{"lang":"en","value":"RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28"}],"timeline":[{"lang":"en","time":"2026-03-05T11:00:57.250Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-03-05T09:39:01.315Z","value":"Made public."}],"title":"org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:07:07.502Z"}}]}}