CVE-2021-28165

high

Published 2021-04-06 · Modified 2026-03-13

CVSS v3

—

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2

—

VIR risk

8.0

Description

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Predictions

Exploit likelihood

30%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2021-28165

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2021-28165.html

OS impact

OS	Version	Status	Fixed in
arch		fixed	`2.286-1`
sles		affected
debian	bookworm	fixed	`9.4.39-1`
debian	bullseye	fixed	`9.4.39-1`
debian	forky	fixed	`9.4.39-1`
debian	sid	fixed	`9.4.39-1`
debian	trixie	fixed	`9.4.39-1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
Maven	org.eclipse.jetty:jetty-server	`>=7.2.2,<9.4.39`	`9.4.39`
Maven	org.eclipse.jetty:jetty-server	`>=10.0.0,<10.0.2`	`10.0.2`
Maven	org.eclipse.jetty:jetty-server	`>=11.0.0,<11.0.2`	`11.0.2`

References

Verify integrity in audit chain (admin only). AS-IS.