Description
WARNING:

Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases.

See the  following for more details:
https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt
https://www.cve.org/CVERecord?id=CVE-2026-40046



Original Report:

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.

This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0

Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
Published: 2026-03-04
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Integer overflow in MQTT remaining length causing broker to misinterpret packets and exhibit unexpected behavior
Action: Patch Now
AI Analysis

Impact

The vulnerability occurs when ActiveMQ does not properly validate the MQTT remaining length field, allowing a malformed packet to overflow the integer used to calculate the total Remaining Length. This overflow can lead the broker to incorrectly parse the payload as multiple MQTT control packets, violating the MQTT v3.1.1 specification that limits Remaining Length to 4 bytes. The result is unexpected broker behavior that could include errors, misrouting, or service disruption, reflecting weaknesses in integer handling and calculation. The primary impact is to the broker’s availability and reliability during MQTT communication.

Affected Systems

Affected versions are Apache ActiveMQ prior to 5.19.2, 6.0.0 through 6.1.8, and 6.2.0 for all modules, including the MQTT module. Users of 6.x should upgrade to 6.2.4 or later, while earlier releases must update to at least 5.19.2, 6.1.9, or 6.2.1. Systems that do not enable MQTT transport connectors are not impacted.

Risk and Exploitability

With a CVSS score of 5.4 and an EPSS score under 1%, the exploitation probability is low, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw can be triggered on an established, authenticated MQTT connection over an enabled transport connector. An attacker feeding a crafted packet can exploit the integer overflow to cause the broker to misinterpret the payload, potentially disrupting its operation. The attack does not require privileged access and can be deployed remotely by any client that can send MQTT traffic to the broker.

Generated by OpenCVE AI on April 20, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ to version 5.19.2, 6.1.9, or 6.2.1 (or later) to apply the official fix.
  • If MQTT transport connectors remain enabled, ensure that client connections are monitored for malformed packets and reject packets that exceed the 4‑byte Remaining Length limit, following proper MQTT validation practices.
  • Deploy network perimeter controls or application layer firewalls that validate MQTT packets for correct length fields to prevent malformed traffic from reaching the broker.

Generated by OpenCVE AI on April 20, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c825-6ph3-4h84 Apache ActiveMQ is Vulnerable to Integer Overflow or Wraparound
History

Fri, 10 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Description Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue. WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the  following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 Original Report: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
References

Thu, 05 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq:6.2.0:*:*:*:*:*:*:*

Thu, 05 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Apache activemq All Module
Apache activemq Mqtt Module
Vendors & Products Apache
Apache activemq
Apache activemq All Module
Apache activemq Mqtt Module
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 10:30:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ All Module, Apache ActiveMQ MQTT Module: MQTT control packet remaining length field is not properly validated
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Apache Activemq Activemq All Module Activemq Mqtt Module
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T10:52:27.564Z

Reserved: 2025-11-21T20:44:42.659Z

Link: CVE-2025-66168

cve-icon Vulnrichment

Updated: 2026-03-04T09:15:41.385Z

cve-icon NVD

Status : Modified

Published: 2026-03-04T09:15:54.757

Modified: 2026-04-10T11:16:21.590

Link: CVE-2025-66168

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-04T08:45:00Z

Links: CVE-2025-66168 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T17:30:12Z

Weaknesses