Description
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.

Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.
This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via out‑of‑memory in ActiveMQ broker
Action: Patch
AI Analysis

Impact

This vulnerability arises in ActiveMQ NIO SSL transports due to improper handling of TLSv1.3 KeyUpdate messages. Rapid KeyUpdates from a malicious client exhaust the broker’s SSL engine memory, triggering an out‑of‑memory condition that crashes the broker and interrupts service. Attackers can achieve denial of service without needing elevated privileges. The weakness maps to the CWE 400 and 770 categories.

Affected Systems

The flaw is present in Apache ActiveMQ Client, Apache ActiveMQ Broker and the combined ActiveMQ product. Versions prior to ActiveMQ 5.19.4 and any ActiveMQ 6.x from 6.0.0 through 6.2.3 are affected. All affected installations are provided by the Apache Software Foundation.

Risk and Exploitability

The CVSS v3 score of 7.5 reflects a high impact denial of service scenario. EPSS indicates a very low probability of exploitation at present (<1 %) and the vulnerability is not listed in the CISA KEV catalog. An attacker would need network access to the broker and would need only to establish a TLS v1.3 connection to send repeated KeyUpdate messages; no authentication or privilege escalation is required. Because the exploit triggers an out‑of‑memory error in the SSL engine, it can be automated with standard TLS libraries.

Generated by OpenCVE AI on April 11, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the current ActiveMQ version and confirm it is a vulnerable release.
  • Upgrade the broker to ActiveMQ 5.19.5 or 6.2.4, which contain the fix for TLS v1.3 KeyUpdate handling.
  • After the upgrade, restart the broker and validate that TLS v1.3 connections succeed without service interruption.
  • If an immediate upgrade is not possible, consider temporarily disabling TLS v1.3 or applying firewall rules to limit or block repeated KeyUpdate traffic until the patch can be applied.

Generated by OpenCVE AI on April 11, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5568-6qcg-g7fx Apache ActiveMQ: Denial of Service via Out of Memory vulnerability
History

Fri, 01 May 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache activemq Broker
CPEs cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:activemq_broker:*:*:*:*:*:*:*:*
Vendors & Products Apache activemq Broker

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq
Vendors & Products Apache
Apache activemq

Sat, 11 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 10 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 11:00:00 +0000

Type Values Removed Values Added
Description Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
Title Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
References

Subscriptions

Apache Activemq Activemq Broker
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T14:10:55.784Z

Reserved: 2026-04-06T12:51:57.606Z

Link: CVE-2026-39304

cve-icon Vulnrichment

Updated: 2026-04-10T11:21:32.761Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T11:16:23.143

Modified: 2026-05-01T15:21:36.333

Link: CVE-2026-39304

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-10T10:54:04Z

Links: CVE-2026-39304 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:07Z

Weaknesses