Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-1605 is a high-severity memory leak vulnerability in the Eclipse Jetty server's GzipHandler component affecting versions 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5."}, {'type': 'paragraph', 'content': 'The issue occurs when the server processes an HTTP request that is compressed with "Content-Encoding: gzip" but the corresponding response is not compressed. In this scenario, the GzipRequest inflator object is created to decompress the request but is never released because the release mechanism is only triggered when the response is also compressed.'}, {'type': 'paragraph', 'content': 'Technically, the method gzipRequest.destroy() that releases the inflator is only called if both request inflation and response deflation are needed. If the response is not compressed, this method is never invoked, causing thousands of Inflater objects to accumulate in memory.'}, {'type': 'paragraph', 'content': 'This leads to uncontrolled resource consumption, specifically memory leaks in both Java heap and native memory, which can cause out-of-memory errors and JVM crashes.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can be exploited to cause denial-of-service (DoS) attacks by exhausting the JVM's memory resources."}, {'type': 'paragraph', 'content': 'Because the Inflater objects are not released properly, memory consumption grows uncontrollably, potentially leading to out-of-memory errors and crashes of the Jetty server.'}, {'type': 'paragraph', 'content': 'Such crashes can disrupt availability of services relying on the Jetty server, causing downtime and impacting users.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusually high memory usage or out-of-memory errors in the JVM running the Jetty server, especially when handling HTTP requests with the header "Content-Encoding: gzip" but without "Accept-Encoding: gzip" in the response.'}, {'type': 'paragraph', 'content': 'Since the issue involves accumulation of java.util.zip.Inflater objects leading to memory leaks, you can look for symptoms such as JVM crashes or excessive native memory consumption.'}, {'type': 'paragraph', 'content': 'To detect the vulnerability on your system, you can use JVM monitoring tools like jcmd, jmap, or jstat to observe memory usage and object counts.'}, {'type': 'list_item', 'content': 'Use jcmd to get a heap histogram: jcmd <pid> GC.heap_info'}, {'type': 'list_item', 'content': 'Use jmap to dump heap and analyze Inflater objects: jmap -histo <pid> | grep Inflater'}, {'type': 'list_item', 'content': 'Monitor JVM logs for OutOfMemoryError or native memory exhaustion.'}, {'type': 'list_item', 'content': 'Analyze network traffic to identify HTTP requests with "Content-Encoding: gzip" headers without corresponding "Accept-Encoding: gzip" in responses.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to disable the GzipHandler in the affected Jetty server versions to prevent the memory leak from occurring.

Since no patches are currently available, disabling the GzipHandler will stop the creation of GzipRequest inflator objects that are not properly released.

Additionally, monitor your JVM memory usage and consider restarting the Jetty server if memory exhaustion symptoms appear.

Useful 0 Not Useful 0