What is the CVSS score of EUVD-2026-20956?

EUVD-2026-20956 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache are affected by EUVD-2026-20956?

Apache ActiveMQ versions 6.0.0 through 6.2.3 contain a remote denial-of-service vulnerability in the MQTT broker that allows unauthenticated attackers to crash the service via malformed control…. A patch is available.

Apache EUVD-2026-20956

| CVE-2026-40046 HIGH

Integer Overflow or Wraparound (CWE-190)

2026-04-09 apache

GHSA-xvqc-pp94-fmpx

Buffer Overflow Apache Integer Overflow Red Hat

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 16:30 euvd

EUVD-2026-20956

Analysis Generated

Apr 09, 2026 - 16:30 vuln.today

CVE Published

Apr 09, 2026 - 15:58 nvd

HIGH 7.5

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on org.apache.activemq:activemq-all (3 direct, 3 indirect)
6 maven packages depend on org.apache.activemq:activemq-mqtt (5 direct, 1 indirect)

Ecosystem-wide dependent count for version 6.0.0 and other introduced versions.

DescriptionNVD

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.

The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.

This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

AnalysisAI

Remote denial-of-service in Apache ActiveMQ 6.0.0 through 6.2.3 allows unauthenticated network attackers to crash the MQTT broker via malformed control packets. An integer overflow in the MQTT protocol handler's remaining length field validation enables resource exhaustion without authentication. …

RemediationAI

Within 24 hours: Identify all ActiveMQ instances running versions 6.0.0-6.2.3 via inventory scan and document MQTT broker exposure. Within 7 days: Implement network-level access controls to restrict MQTT protocol traffic (port 1883/8883) to trusted sources only, and monitor ActiveMQ logs for malformed packet attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory