Apparently ever since we had access to Java 1.4 we have lived along with a classloader leak built right in to the JDK. It is patched in the most recent Java 7 releases, but no backports exist for older JDKs. So at least 80% of us can still be affected by it.
You encounter the bug most often during redeployments in your Java EE application. But not always, but on circumstances when you have innocently used a sun.net.www.http.KeepAliveCache under the hood. It's so because the "keepAliveTimer" daemon thread created in sun.net.www.http.KeepAliveCache inherits the context class loader of the parent thread, and therefore holds a reference to that class loader. This is fine if the thread's context class loader is the system class loader, but it's bad if the context class loader is a custom class loader that may need to be unloaded at some future point. Which is exactly what your application server's classloaders would be doing every once in awhile during redeploys. The reference held by this thread means that the class loader can never become eligible for GC.
We have taken a look into the issue, analysed it's symptoms and described the consequences in this blog post.