Cyber Resilience

CVE-2026-1605

HighDDoS

Published: 05 March 2026

Published
05 March 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 10.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1605 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Eclipse Jetty. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-6 (Resource Availability) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-1605 is a resource leak vulnerability in the GzipHandler class of Eclipse Jetty, affecting versions 12.0.0 through 12.0.31 and 12.1.0 through 12.0.5. The issue arises when processing a compressed HTTP request with Content-Encoding: gzip, where the JDK Inflater is allocated to decompress the request but not released. This occurs because the release mechanism is tied to generating a compressed response, which does not trigger if the response is uncompressed, leading to a memory leak. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption) and CWE-401 (Memory Leak).

Unauthenticated remote attackers can exploit this vulnerability by sending HTTP requests with gzip-compressed content where the server responds without compression. Repeated exploitation causes progressive memory consumption as Inflater instances accumulate without release, potentially leading to denial of service through resource exhaustion.

For mitigation details, refer to the Jetty security advisory at https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f.

EU & UK References

Vulnerability details

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the…

more

request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing Jetty web server via crafted gzip requests directly enables T1190; resulting memory exhaustion DoS matches T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-2332Same product: Eclipse Jetty
CVE-2026-5795Same product: Eclipse Jetty
CVE-2025-0728Same vendor: Eclipse
CVE-2025-55102Same vendor: Eclipse
CVE-2025-55100Same vendor: Eclipse
CVE-2026-6918Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse
CVE-2025-0726Same vendor: Eclipse
CVE-2025-67109Same vendor: Eclipse
CVE-2025-0727Same vendor: Eclipse

Affected Assets

eclipse
jetty
12.0.0 — 12.0.32 · 12.1.0 — 12.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the memory leak flaw in Eclipse Jetty's GzipHandler by identifying, reporting, and applying vendor patches or upgrades to affected versions.

prevent

Protects system resources from exhaustion by implementing controls that prevent unauthorized depletion due to unreleased JDK Inflater instances from repeated gzip requests.

prevent

Limits the impact of denial-of-service attacks exploiting the memory leak through repeated gzip-compressed HTTP requests without compressed responses.

References