DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1605: CVE-2026-1605: Native Memory Leak in Eclipse Jetty GzipHandler

#security #cve #cybersecurity

CVE-2026-1605: Native Memory Leak in Eclipse Jetty GzipHandler

Vulnerability ID: CVE-2026-1605
CVSS Score: 7.5
Published: 2026-03-05

A high-severity resource management vulnerability exists in Eclipse Jetty versions 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5. The GzipHandler component fails to correctly release native memory resources associated with the zlib Inflater when processing compressed requests if the corresponding response is not compressed. This allows unauthenticated remote attackers to trigger a native memory leak, leading to Denial of Service (DoS) via application crash or OOM termination.

TL;DR

Eclipse Jetty fails to release native memory for Gzip-compressed requests when the response is not compressed. Attackers can exhaust server memory by sending compressed requests without the 'Accept-Encoding: gzip' header.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400 / CWE-401
  • CVSS Score: 7.5 (High)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Attack Vector: Network (Remote)
  • Exploit Maturity: PoC Available
  • EPSS Score: 0.04%

Affected Systems

  • Eclipse Jetty 12.0.0 through 12.0.31
  • Eclipse Jetty 12.1.0 through 12.1.5
  • Eclipse Jetty: 12.0.0 - 12.0.31 (Fixed in: 12.0.32)
  • Eclipse Jetty: 12.1.0 - 12.1.5 (Fixed in: 12.1.6)

Code Analysis

Commit: a9e1643

Fix native memory leak in GzipHandler by decoupling callback wrapper

@@ -123,7 +123,7 @@
     if (inflatable && tryInflate || etagMatches) {
         GzipRequest gzipRequest = new GzipRequest(request, _inflaterPool, ...);
-        if (tryDeflate) callback = new GzipResponseAndCallback(...);
+        callback = Callback.from(callback, gzipRequest::destroy);
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Manual Analysis: Exploitable by sending compressed requests without accept-encoding header

Mitigation Strategies

  • Upgrade to patched Jetty versions (12.0.32+, 12.1.6+).
  • Disable GzipHandler in server configuration if not required.
  • Block 'Content-Encoding: gzip' headers at the network edge (WAF/LB).

Remediation Steps:

  1. Identify all applications using Eclipse Jetty versions 12.0.0-12.0.31 or 12.1.0-12.1.5.
  2. Update Maven/Gradle dependencies to version 12.0.32 or 12.1.6.
  3. Rebuild and redeploy the application.
  4. Verify the fix by monitoring native memory usage while sending compressed requests without 'Accept-Encoding'.

References

Read the full report for CVE-2026-1605 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)