Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-daws-9x98-vbbm
Vulnerability ID VCID-daws-9x98-vbbm
Aliases CVE-2026-1605
GHSA-xxh7-fcf3-rj7f
Summary The Eclipse Jetty Server Artifact has a Gzip request memory leak ### Description (as reported) There is a memory leak when using `GzipHandler` in jetty-12.0.30 that can cause off-heap OOMs. This can be used for DoS attacks so I'm reporting this as a vulnerability. The leak is created by requests where the request is inflated (`Content-Encoding: gzip`) and the response is not deflated (no `Accept-Encoding: gzip`). In these conditions, a new inflator will be created by `GzipRequest` and never released back into `GzipRequest.__inflaterPool` because `gzipRequest.destory()` is not called. In heap dumps one can see thousands of `java.util.zip.Inflator` objects, which use both Java heaps and native memory. Leaking native memory causes of off-heap OOMs. Code path in `GzipHandler.handle()`: 1. Line 601: `GzipRequest` is created when request inflation is needed. 2. Lines 611-616: The callback is only wrapped in `GzipResponseAndCallback` when both inflation and deflation are needed. 3. Lines 619-625: If the handler accepts the request (returns true), `gzipRequest.destroy()` is only called in the "request not accepted" path (returns false) When deflation is needed, `GzipResponseAndCallback` (lines 102 and 116) properly calls `gzipRequest.destroy()` in its `succeeded()` and `failed()` methods. But this wrapper is only created when deflation is needed. Possible fix: The callback should be wrapped whenever a `GzipRequest` is created, not just when deflation is needed. This ensures `gzipRequest.destroy()` is always called when the request completes. ### Impact The leak causes the JVM to crash with OOME. ### Patches No patches yet. ### Workarounds Disable `GzipHandler`. ### References https://github.com/jetty/jetty.project/issues/14260 https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (5)
CWE-400 Uncontrolled Resource Consumption
CWE-401 Missing Release of Memory after Effective Lifetime
CWE-772 Missing Release of Resource after Effective Lifetime
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1605.json
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.00055 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
epss 0.0006 https://api.first.org/data/v1/epss?cve=CVE-2026-1605
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-xxh7-fcf3-rj7f
cvssv3.1 7.5 https://github.com/jetty/jetty.project
generic_textual HIGH https://github.com/jetty/jetty.project
cvssv3.1 7.5 https://github.com/jetty/jetty.project/issues/14260
generic_textual HIGH https://github.com/jetty/jetty.project/issues/14260
cvssv3.1 7.5 https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
cvssv3.1_qr HIGH https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
generic_textual HIGH https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
ssvc Track https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
cvssv3.1 7.5 https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
generic_textual HIGH https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-1605
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-1605
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1605.json
https://api.first.org/data/v1/epss?cve=CVE-2026-1605
https://github.com/jetty/jetty.project
https://github.com/jetty/jetty.project/issues/14260
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
https://nvd.nist.gov/vuln/detail/CVE-2026-1605
2444815 https://bugzilla.redhat.com/show_bug.cgi?id=2444815
GHSA-xxh7-fcf3-rj7f https://github.com/advisories/GHSA-xxh7-fcf3-rj7f
RHSA-2026:8509 https://access.redhat.com/errata/RHSA-2026:8509
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1605.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/issues/14260
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-05T14:46:07Z/ Found at https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://gitlab.eclipse.org/security/cve-assignment/-/issues/79
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-1605
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.17495
EPSS Score 0.00055
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:54:10.016265+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-xxh7-fcf3-rj7f/GHSA-xxh7-fcf3-rj7f.json 38.0.0