diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c5321870..45ee86260 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -117,6 +117,7 @@ Status: beta.
 - Security: add mDNS discovery mode with minimal default to reduce information disclosure. (#1882) Thanks @orlyjamie.
 - Security: harden URL fetches with DNS pinning to reduce rebinding risk. Thanks Chris Zheng.
 - Web UI: improve WebChat image paste previews and allow image-only sends. (#1925) Thanks @smartprogrammer93.
+- Gateway: fix server resource leak in canBindToHost error handler.
 - Security: wrap external hook content by default with a per-hook opt-out. (#1827) Thanks @mertcicekci0.
 - Gateway: default auth now fail-closed (token/password required; Tailscale Serve identity remains allowed).
 - Gateway: treat loopback + non-local Host connections as remote unless trusted proxy headers are present.
diff --git a/src/gateway/net.ts b/src/gateway/net.ts
index 6702e0e8b..cd97c8e3c 100644
--- a/src/gateway/net.ts
+++ b/src/gateway/net.ts
@@ -140,6 +140,7 @@ export async function canBindToHost(host: string): Promise<boolean> {
   return new Promise((resolve) => {
     const testServer = net.createServer();
     testServer.once("error", () => {
+      testServer.close();
       resolve(false);
     });
     testServer.once("listening", () => {