How serious is CVE-2026-1605?

This vulnerability has a CVSS score of 7.5 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-1605?

Yes, proof-of-concept exploit code for CVE-2026-1605 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-1605?

CVE-2026-1605 affects eclipse jetty. Check the full CVE details for specific version information.

How do I fix CVE-2026-1605?

To remediate CVE-2026-1605, check for security patches from eclipse. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-1605

High

|7.5

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to cause a memory leak on servers using specific versions of Eclipse Jetty by sending a compressed HTTP request that isn't met with a compressed response. For this to happen, the server must be configured to handle gzip-encoded requests, but fail to respond with gzip-encoded data.

Technical Description

In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response. In this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactNone

Availability ImpactHigh

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$2,053($1K-$5K)

Vendor Response

Grade APatched in 1 day

Quick Information

Published

Mar 5, 2026

about 1 month ago

Last Modified

Mar 6, 2026

about 1 month ago

Vendor

eclipse

Product

jetty

Related Vulnerabilities

CVE-2025-11143Medium

This vulnerability allows an attacker to potentially bypass security measures by exploiting differences in how various components of a system interpret unusual web addresses (URIs). If different parts of the system use different rules for these URIs, it could lead to unauthorized access or reveal sensitive information about the system's setup.