Skip to main content

Apache ActiveMQ CVE-2026-53916

| EUVDEUVD-2026-40278 HIGH
Memory Allocation with Excessive Size Value (CWE-789)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-accessible unauthenticated STOMP connection with no complexity barrier; sole impact is complete availability loss via heap exhaustion; no confidentiality or integrity effect.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Severity Changed
Jun 30, 2026 - 17:22 NVD
CRITICAL HIGH
CVSS changed
Jun 30, 2026 - 17:22 NVD
7.5 (CRITICAL) 7.5 (HIGH)
Patch available
Jun 30, 2026 - 12:01 EUVD
Analysis Generated
Jun 29, 2026 - 22:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Unbounded heap consumption in Apache ActiveMQ's STOMP NIO codec allows an unauthenticated remote client to crash the broker by streaming non-terminating header bytes that the JVM buffers without limit until memory is exhausted. All three affected Maven artifacts (apache-activemq, activemq-all, activemq-stomp) are impacted in versions before 5.19.8 and in the 6.0.0-6.2.6 range. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to STOMP NIO port (TCP 61613)
Delivery
Stream non-terminating header bytes
Exploit
Broker NIO codec buffers data without limit
Execution
JVM heap exhausted
Impact
Broker process crashes (DoS)

Vulnerability AssessmentAI

Exploitation The STOMP NIO transport connector must be enabled and network-reachable - this is a configurable transport in activemq.xml and is not always active in every deployment; operators who have not explicitly added a STOMP transportConnector are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Independent CVSS 3.1 assessment yields AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (score ~7.5, High): the attack is network-accessible, requires no authentication, and has low complexity - an attacker needs only a TCP connection to the STOMP port and the ability to stream data without sending a frame terminator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker connects to the broker's STOMP NIO listener (typically TCP 61613) and streams a continuous sequence of header bytes without ever sending a STOMP frame terminator (linefeed or null byte). The broker's NIO codec appends each incoming byte to an unbounded in-memory buffer; as the buffer grows, JVM heap is steadily consumed until an OutOfMemoryError terminates the broker process or triggers garbage collection storms that render it unresponsive. …
Remediation Upgrade to Apache ActiveMQ 6.2.7 for 6.x deployments or 5.19.8 for 5.x deployments; both releases were published June 29, 2026 and are available at https://activemq.apache.org/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all ActiveMQ deployments and inventory versions; query for listeners on STOMP port 61613 or custom STOMP ports; classify each instance by business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53916 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy