Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
- 6 maven packages depend on org.apache.activemq:activemq-mqtt (5 direct, 1 indirect)
Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.
DescriptionCVE.org
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.
The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.
This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.
Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
AnalysisAI
Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).
Technical ContextAI
CWE-190 integer overflow occurs when parsing MQTT control packet remaining length field. Validation logic introduced for CVE-2025-66168 was not ported to 6.x codebase, allowing malformed packets to trigger wraparound conditions in memory allocation routines, causing broker process termination. CVSS vector PR:N confirms unauthenticated remote attack surface.
RemediationAI
Vendor-released patch: upgrade to Apache ActiveMQ 6.2.4 or later for all 6.x deployments. Users on legacy 5.x branches must upgrade to 5.19.2 or later (latest: 5.19.5). No workarounds documented; patching is the only validated mitigation. If immediate upgrade is infeasible, disable MQTT transport connector in activemq.xml configuration to eliminate attack surface. Official advisory: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt. Mailing list discussion: https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg. Verify installed version and prioritize upgrade for internet-facing brokers.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20956
GHSA-xvqc-pp94-fmpx