What is the CVSS score of CVE-2026-39304?

CVE-2026-39304 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache are affected by CVE-2026-39304?

Apache ActiveMQ versions before 5.19.4 and 6.0.0-6.2.3 are vulnerable to unauthenticated remote denial of service attacks that exhaust broker memory through malformed TLSv1.3 handshake requests,…. A patch is available.

Apache CVE-2026-39304

Q: How to fix or mitigate CVE-2026-39304?

Within 24 hours: Identify all ActiveMQ deployments using versions <5.19.4 or 6.0.0-6.2.3 with NIO SSL transports enabled and assess business criticality. Within 7 days: Implement network-level controls (rate limiting, connection throttling on TLSv1.3 KeyUpdate requests) or disable NIO SSL transport if operationally feasible; apply compensating controls below. Within 30 days: Upgrade to ActiveMQ 5.19.4 or later (5.15.x/5.16.x/5.17.x/5.18.x not mentioned as patched-verify vendor advisories) or 6.2.4+ once released and tested.

EUVD-2026-21362 HIGH

Uncontrolled Resource Consumption (CWE-400)

2026-04-10 apache

GHSA-5568-6qcg-g7fx

Denial Of Service Apache

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 11:00 euvd

EUVD-2026-21362

Analysis Generated

Apr 10, 2026 - 11:00 vuln.today

CVE Published

Apr 10, 2026 - 10:54 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
21 maven packages depend on org.apache.activemq:activemq-broker (14 direct, 7 indirect)
31 maven packages depend on org.apache.activemq:activemq-client (8 direct, 23 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionNVD

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.

Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

AnalysisAI

Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via rapid TLSv1.3 KeyUpdate requests. Affects ActiveMQ Client, Broker, and All distributions versions <5.19.4 and 6.0.0-6.2.3 when NIO SSL transports are used. …

RemediationAI

Within 24 hours: Identify all ActiveMQ deployments using versions <5.19.4 or 6.0.0-6.2.3 with NIO SSL transports enabled and assess business criticality. Within 7 days: Implement network-level controls (rate limiting, connection throttling on TLSv1.3 KeyUpdate requests) or disable NIO SSL transport if operationally feasible; apply compensating controls below. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory