Skip to main content

Apache EUVDEUVD-2026-20956

| CVE-2026-40046 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-04-09 apache GHSA-xvqc-pp94-fmpx
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.4 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 16:30 euvd
EUVD-2026-20956
Analysis Generated
Apr 09, 2026 - 16:30 vuln.today
CVE Published
Apr 09, 2026 - 15:58 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
  • 6 maven packages depend on org.apache.activemq:activemq-mqtt (5 direct, 1 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionCVE.org

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.

The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.

This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

AnalysisAI

Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. This vulnerability stems from an incomplete patch - the fix for CVE-2025-66168 was applied only to 5.19.x branches but omitted from all 6.x releases until 6.2.4. No public exploit identified at time of analysis. Low observed exploitation activity (EPSS 0.02%).

Technical ContextAI

CWE-190 integer overflow occurs when parsing MQTT control packet remaining length field. Validation logic introduced for CVE-2025-66168 was not ported to 6.x codebase, allowing malformed packets to trigger wraparound conditions in memory allocation routines, causing broker process termination. CVSS vector PR:N confirms unauthenticated remote attack surface.

RemediationAI

Vendor-released patch: upgrade to Apache ActiveMQ 6.2.4 or later for all 6.x deployments. Users on legacy 5.x branches must upgrade to 5.19.2 or later (latest: 5.19.5). No workarounds documented; patching is the only validated mitigation. If immediate upgrade is infeasible, disable MQTT transport connector in activemq.xml configuration to eliminate attack surface. Official advisory: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt. Mailing list discussion: https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg. Verify installed version and prioritize upgrade for internet-facing brokers.

Vendor StatusVendor

Share

EUVD-2026-20956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy