{
  "threat_severity" : "Important",
  "public_date" : "2026-03-05T09:39:01Z",
  "bugzilla" : {
    "description" : "org.eclipse.jetty/jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests",
    "id" : "2444815",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2444815"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-772",
  "details" : [ "In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed.\nThis happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release mechanism is tied to the compressed response.\nIn this case, since the response is not compressed, the release mechanism does not trigger, causing the leak.", "A flaw was found in org.eclipse.jetty. A remote attacker can exploit this vulnerability by sending a compressed HTTP request with Content-Encoding: gzip when the server's response is not compressed. This prevents the release of the JDK Inflater, leading to a resource leak. This resource exhaustion can result in a Denial of Service (DoS), making the server unavailable to legitimate users." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Broker 7.14.0",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8509",
    "cpe" : "cpe:/a:redhat:amq_broker:7.14",
    "package" : "jetty-server"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "ocp-tools-4/jenkins-rhel8",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "ocp-tools-4/jenkins-rhel9",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat build of Apache Camel - HawtIO 4",
    "fix_state" : "Affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:apache_camel_hawtio:4"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 2",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:service_registry:2"
  }, {
    "product_name" : "Red Hat build of Apicurio Registry 3",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:apicurio_registry:3"
  }, {
    "product_name" : "Red Hat build of Debezium 2",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:debezium:2"
  }, {
    "product_name" : "Red Hat build of Debezium 3",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:debezium:3"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-core:10.6/resteasy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "pki-deps:10.6/resteasy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "jmc",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "resteasy",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat JBoss Web Server 6",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:6"
  }, {
    "product_name" : "Red Hat Offline Knowledge Portal",
    "fix_state" : "Not affected",
    "package_name" : "offline-knowledge-portal/rhokp-rhel9",
    "cpe" : "cpe:/a:redhat:offline_knowledge_portal:1"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/openvsx-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat OpenShift Dev Spaces",
    "fix_state" : "Affected",
    "package_name" : "devspaces/pluginregistry-rhel9",
    "cpe" : "cpe:/a:redhat:openshift_devspaces:3"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "puppetserver",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "satellite-capsule:el8/puppetserver",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Affected",
    "package_name" : "jetty-server",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1605\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1605\nhttps://github.com/jetty/jetty.project/security/advisories/GHSA-xxh7-fcf3-rj7f" ],
  "name" : "CVE-2026-1605",
  "csaw" : false
}