CVE-2026-1605
Published: 05 March 2026
Summary
CVE-2026-1605 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Eclipse Jetty. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.
Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.
Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.
Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.
Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.
Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.
The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.
Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Jetty web server via crafted gzip requests directly enables T1190; resulting memory exhaustion DoS matches T1499.004 Application or System Exploitation.
NVD Description
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the…
more
request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
Deeper analysisAI
CVE-2026-1605 is a resource leak vulnerability in the GzipHandler class of Eclipse Jetty, affecting versions 12.0.0 through 12.0.31 and 12.1.0 through 12.0.5. The issue arises when processing a compressed HTTP request with Content-Encoding: gzip, where the JDK Inflater is allocated to decompress the request but not released. This occurs because the release mechanism is tied to generating a compressed response, which does not trigger if the response is uncompressed, leading to a memory leak. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak).
Unauthenticated remote attackers can exploit this vulnerability by sending HTTP requests with gzip-compressed content where the server responds without compression. Repeated exploitation causes progressive memory consumption as Inflater instances accumulate without release, potentially leading to denial of service through resource exhaustion.
For mitigation details, refer to the Jetty security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f.
Details
- CWE(s)