The ring-jetty-adapter depends on org.eclipse.jetty/jetty-server 12.1.0, which is affected by CVE-2026-1605 — a native memory leak in Jetty's GzipHandler.
When a request uses Content-Encoding: gzip but the response is not deflated (no Accept-Encoding: gzip), a new Inflater is created and never released back to the pool. This leaks both Java heap and native memory, eventually causing off-heap OOM crashes (CVSS 7.5 High, CWE-400/CWE-401).
Affected versions: Jetty 12.1.0 through 12.1.5
Fixed in: Jetty 12.1.6
The fix would be to bump the Jetty dependency to at least 12.1.6.
References:
The
ring-jetty-adapterdepends onorg.eclipse.jetty/jetty-server 12.1.0, which is affected by CVE-2026-1605 — a native memory leak in Jetty'sGzipHandler.When a request uses
Content-Encoding: gzipbut the response is not deflated (noAccept-Encoding: gzip), a newInflateris created and never released back to the pool. This leaks both Java heap and native memory, eventually causing off-heap OOM crashes (CVSS 7.5 High, CWE-400/CWE-401).Affected versions: Jetty 12.1.0 through 12.1.5
Fixed in: Jetty 12.1.6
The fix would be to bump the Jetty dependency to at least 12.1.6.
References: