Skip to main content

Apache Activemq Client CVE-2026-39304

| EUVDEUVD-2026-21362 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-04-10 apache GHSA-5568-6qcg-g7fx
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 11:00 euvd
EUVD-2026-21362
Analysis Generated
Apr 10, 2026 - 11:00 vuln.today
CVE Published
Apr 10, 2026 - 10:54 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
  • 31 maven packages depend on org.apache.activemq:activemq-client (8 direct, 23 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.

Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

AnalysisAI

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. Vulnerability arises from improper handling of TLSv1.3 handshake KeyUpdate messages, enabling clients to trigger unbounded memory allocation in the SSL engine. No public exploit identified at time of analysis. CVSS 7.5 (AV:N/AC:L/PR:N) indicates network-accessible, low-complexity attack requiring no authentication.

Technical ContextAI

Root cause stems from CWE-400 uncontrolled resource consumption in NIO SSL transport layer. TLSv1.3 KeyUpdate mechanism permits clients to repeatedly trigger cryptographic key rotation without full handshake overhead. ActiveMQ's SSL engine allocates memory per update without rate limiting or bounds checking, creating unbounded heap growth. Pre-TLSv1.3 protocols require full renegotiation causing connection hang but not OOM.

RemediationAI

Vendor-released patches: upgrade to Apache ActiveMQ version 6.2.4 or 5.19.5 immediately. These releases implement proper bounds checking and rate limiting for TLSv1.3 KeyUpdate handling in NIO SSL transports. For environments unable to upgrade immediately, mitigate by disabling TLSv1.3 protocol support at the broker configuration level and restrict to TLSv1.2, though this introduces connection hang risk during renegotiation. Alternatively, disable NIO SSL transport and use alternative transport protocols. Monitor heap memory utilization for abnormal growth patterns. Complete advisory and upgrade instructions: https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt

Vendor StatusVendor

Share

CVE-2026-39304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy