7.5
CVE-2026-1605
- EPSS 0.63%
- Veröffentlicht 05.03.2026 09:39:01
- Zuletzt bearbeitet 30.06.2026 03:17:18
- Quelle emo@eclipse.org
- CVE-Watchlists
- Unerledigt
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.63% | 0.454 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| emo@eclipse.org | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
CWE-400 Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
CWE-401 Missing Release of Memory after Effective Lifetime
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
CWE-772 Missing Release of Resource after Effective Lifetime
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
https://access.redhat.com/errata/RHSA-2026:25125
https://access.redhat.com/errata/RHSA-2026:25126
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:21772
https://access.redhat.com/errata/RHSA-2026:8509
https://access.redhat.com/security/cve/CVE-2026-1605
https://bugzilla.redhat.com/show_bug.cgi?id=2444815
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1605.json