CVE-2026-1605 is a vulnerability in the Eclipse Jetty web server framework, specifically affecting versions 12.0.0 through 12.0.31 and 12.1.0 through 12.1.0.5. The issue resides in the GzipHandler class, which handles HTTP requests and responses with gzip compression. When a client sends a compressed HTTP request (Content-Encoding: gzip), Jetty uses the JDK Inflater to decompress the request body. However, if the server response is not compressed, the mechanism that releases the Inflater resource is not triggered, resulting in a resource leak. This uncontrolled resource consumption (CWE-400) can accumulate over time, exhausting memory or other system resources, potentially leading to denial of service (DoS). The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires no authentication or user interaction and can be performed remotely by sending crafted HTTP requests. The flaw is rooted in improper lifecycle management of decompression resources, reflecting a CWE-400 (uncontrolled resource consumption) and CWE-401 (improper release of resources) classification. No patches are linked yet, and no known exploits have been observed in the wild as of the publication date. The CVSS v3.1 base score is 7.5, reflecting high severity due to network attack vector, low complexity, no privileges required, and no user interaction needed.

The primary impact of CVE-2026-1605 is denial of service through resource exhaustion on servers running vulnerable versions of Eclipse Jetty. Attackers can send specially crafted compressed HTTP requests that cause the server to allocate decompression resources without releasing them, leading to memory leaks or depletion of other system resources. Over time or under high request volumes, this can degrade server performance, cause crashes, or force restarts, disrupting availability of web services relying on Jetty. This can affect any organization using Jetty in their web infrastructure, including cloud providers, enterprise applications, and embedded systems. The lack of authentication and user interaction requirements makes it easy for remote attackers to exploit. Although confidentiality and integrity are not directly impacted, the availability disruption can have cascading effects on business operations, customer trust, and service-level agreements. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as public details become widespread.

To mitigate CVE-2026-1605, organizations should prioritize upgrading to fixed versions of Eclipse Jetty once patches are released by the Eclipse Foundation. In the interim, consider the following specific actions: 1) Implement rate limiting or request throttling on endpoints accepting compressed requests to reduce the potential for resource exhaustion. 2) Disable or restrict support for compressed HTTP requests (Content-Encoding: gzip) if feasible, especially on public-facing services. 3) Monitor server resource usage closely for abnormal memory or resource consumption patterns indicative of exploitation attempts. 4) Employ Web Application Firewalls (WAFs) or reverse proxies capable of detecting and blocking suspicious compressed request patterns. 5) Review and harden server configurations to limit maximum request sizes and decompression buffer allocations. 6) Conduct internal testing with crafted compressed requests to verify whether the server properly releases decompression resources. These targeted mitigations go beyond generic advice by focusing on controlling the decompression resource lifecycle and limiting exposure to malformed compressed requests.