Apache ActiveMQ, ActiveMQ All, and ActiveMQ MQTT suffer an integer overflow or wraparound error when parsing the remaining length field of an MQTT control packet. This flaw allows an attacker to craft a malformed packet that can corrupt memory during packet processing. The resulting data corruption may crash the broker or, in the worst case, lead to uncontrolled execution of code or other integrity violations. The vulnerability is identified as CWE‑190. The description lists a CVSS score of 7.5, indicating a high‑impact potential if exploited.

All deployments running Apache ActiveMQ versions starting with 6.0.0 up to, but not including, 6.2.4 are affected. Versions 6.2.4 and later, as well as all 5.19.x releases starting with 5.19.2, include the fix that prevents the integer overflow. The advisory also notes that 5.19.1 and earlier were not explicitly confirmed as vulnerable, so users of those sub‑5.19 releases should verify their patch status.

The CVSS rating of 7.5 reflects a significant severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low at present. The flaw is not listed in the CISA KEV catalog, implying no known public exploits. Attackers would need to send a specially crafted MQTT packet to a vulnerable broker, likely over an open or untrusted network. While authentication may still be required for certain packet types, the vulnerability itself does not expose authentication bypass, but an attacker could potentially disrupt services or compromise memory after successfully sending the malicious packet.