[jetty-announce] CVE-2026-1605 - Jetty 12 - Gzip request memory leak lea

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[jetty-announce] CVE-2026-1605 - Jetty 12 - Gzip request memory leak leads to OOM

From: Olivier Lamy <olamy@xxxxxxxxxxx>
Date: Fri, 6 Mar 2026 16:26:15 +1000
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=lvhjiyL6SkjihYRjS++fR+E7y3avdnfTOJq9fvJiVTM=; fh=dzsMWCbJpBKiAe7p/+b9Gfo1Mytm4rutk3a8wBLxaDk=; b=hKtG1Ok4pi3/2fP7bHLYyNwlNNOfAD3R9Ncni8GPkhXvPpAIB9zXX/8TQb4otNQDqe lwl7iqjZU4tsZKdN0A1foeJb0JkImIpdriIC7jGjVPxZAb9wQBWvv9jUbD5eieY2dfF8 IOozovT74k3TtzdebctoHvwPmhs58aYITRbgzhJwbgcz9EQil8SOgUVZEruyPwqyZRgN hP/sgfSlmTTkTD3WNVw/hMGYWgQySw6SRjGUqmm9qSuuz+xWEUHAyPggtc9WQwKBhwwj VzB4V0RlIWlaufrzMuVGfS0KuDfnV5GgTrEPkcc+DTHPm7WuRpapPxvoTgKbaQIITRFz SwUA==; darn=eclipse.org
Arc-seal: i=1; a=rsa-sha256; t=1772778386; cv=none; d=google.com; s=arc-20240605; b=GO2VfQtnjWZU7KPZ55gN0Y3xHxK6J8X3VmbgJ5zpv8o9i1K2eAttY6TGm4qB1CBRQU MOPDlXAmBLwxUWKF1+kKp1cx6z8PsQ70NA29+zuyXiSxOCQKn6YNGDMrsj+x0pF3Pr6p yfMQkMRPYxzSxhW0BiuDyH1nq4D7e+WNEps66Q7bJlxp1W6TCXT18yQaodQj7UOtVp05 haxGEleDFDm96Kw27gSaPU8DdJTSVDMQ2fgO7mInGoqZJ31XapqbshQtQerFcK+nPd3W huigPuhnG43y2ovdP5cX0ifcrf5ovku6sq731GBuranOc39EtLb7ow5CXKhLXHn8cCrW QlIQ==
Delivered-to: jetty-announce@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-announce/>
List-help: <mailto:jetty-announce-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-announce>, <mailto:jetty-announce-request@eclipse.org?subject=unsubscribe>

Eclipse Jetty Security Advisory - CVE-2026-1605

Severity: High (CVSS 3.1)

Affected component: org.eclipse.jetty:jetty-server

Affected versions:
- 12.0.0 through 12.0.31
- 12.1.0 through 12.1.5

Fix available:
- 12.0.32 (available on Maven Central)
- 12.1.6 (available on Maven Central)

Description:

There is a memory leak when using GzipHandler that can cause off-heap OutOfMemoryErrors. The leak is triggered by requests where the request body is inflated (Content-Encoding: gzip) but the response is not deflated (no Accept-Encoding: gzip header). In these conditions, a new Inflater is created by GzipRequest and never released back into the inflater pool because gzipRequest.destroy() is not called.

This causes thousands of java.util.zip.Inflater objects to accumulate, consuming both Java heap and native memory. Leaking native memory causes off-heap OOMs and JVM crashes. This can be exploited for denial of service attacks.

Weakness: CWE-400 (Uncontrolled Resource Consumption), CWE-401 (Missing Release of Memory after Effective Lifetime)

Workaround: Disable GzipHandler.

Credit: https://github.com/glebashnik, https://github.com/bjorncs

For full technical details, consult the GitHub security advisory:
https://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f

The Eclipse Jetty Team

Prev by Date: Re: [jetty-announce] Jetty 12.0.30 EOL
Next by Date: [jetty-announce] CVE-2025-11143 - Jetty - Different parsing of invalid URIs
Previous by thread: [jetty-announce] Jetty 12.0.30 EOL
Next by thread: [jetty-announce] CVE-2025-11143 - Jetty - Different parsing of invalid URIs
Index(es):
- Date
- Thread

Breadcrumbs