CVE-2026-1605
Summary
| CVE | CVE-2026-1605 |
|---|---|
| State | PUBLISHED |
| Assigner | eclipse |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-05 10:15:56 UTC |
| Updated | 2026-06-30 03:17:18 UTC |
| Description | In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Problem Types: CWE-400 | CWE-401 | CWE-772 | CWE-400 CWE-400 Uncontrolled Resource Consumption | CWE-401 CWE-401 Missing Release of Memory after Effective Lifetime | CWE-772 Missing Release of Resource after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | CNA | CVSS | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/security/cve/CVE-2026-1605 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f | [email protected] | github.com | Vendor Advisory |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25125 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:8509 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1605.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25126 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:21772 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Gleb Sizov (@glebashnik) (en)
CNA: Bjørn Christian Seime (@bjorncs) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-05T11:00:57.250Z | Reported to Red Hat. |
| ADP | 2026-03-05T09:39:01.315Z | Made public. |
Solutions
ADP: RHSA-2026:25125: Red Hat JBoss EAP 8.1 for RHEL 8, Red Hat JBoss EAP 8.1 for RHEL 9
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:8509: Red Hat AMQ Broker 7.14.0
ADP: RHSA-2026:25126: Red Hat JBoss Enterprise Application Platform 8.1
ADP: RHSA-2026:21772: Red Hat OpenShift Dev Spaces 3.28
There are currently no legacy QID mappings associated with this CVE.