CVE-2026-40046 - Vulnerability Details

- Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Description

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.

The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.

This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

Published: 2026-04-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer overflow or wraparound flaw exists in the handling of the MQTT control packet remaining length field. The vulnerability originates from a missing validation that was corrected only in 5.19.2 and later releases, but the patch was omitted in all 6.0.0 and higher releases up to 6.2.3. Using an unvalidated length field can lead to a corrupted packet parsing state, which in turn can crash the broker or render it unresponsive.

Affected Systems

The affected products are Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT released by the Apache Software Foundation. All 6.0.0 through 6.2.3 versions are vulnerable. Versions 6.0.0 to before 6.2.4 (inclusive) are impacted. The 5.19.x line is vulnerable only before 5.19.2; versions 5.19.2 and newer, including the current 5.19.5, contain the fix.

Risk and Exploitability

No CVSS score is published and the EPSS score is unavailable, but the common weakness (integer overflow) suggests a moderate to high risk. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation would require sending a specially crafted MQTT packet to the broker, which a remote actor can do by establishing a connection. Until the broker is updated, the system remains at risk of service interruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache ActiveMQ

unaffected

Version	Status	Constraints
`6.0.0`	affected	< 6.2.4

Apache Software Foundation

Apache ActiveMQ All

unaffected

Version	Status	Constraints
`6.0.0`	affected	< 6.2.4

Apache Software Foundation

Apache ActiveMQ MQTT

unaffected

Version	Status	Constraints
`6.0.0`	affected	< 6.2.4

No data.

Vendor Product Confidence Versions

Apache

Activemq

95%

Version	Status	Scheme	Platform
`[6.0.0,6.2.4)`	affected	semver	—

Apache

Activemq Mqtt

95%

Version	Status	Scheme	Platform
`[6.0.0,6.2.4)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Apache ActiveMQ 6.2.4 or any later 6.x release, or to any 5.19.x release starting with 5.19.2
Confirm the broker’s version and verify that the patch has been applied
If an immediate upgrade is not possible, restrict MQTT traffic using firewall rules to reduce exposure until a patch can be applied

Generated by OpenCVE AI on April 9, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-xvqc-pp94-fmpx	Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT vulnerable to Integer Overflow or Wraparound

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt
https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg
https://nvd.nist.gov/vuln/detail/CVE-2026-40046
https://www.cve.org/CVERecord?id=CVE-2025-66168
https://www.cve.org/CVERecord?id=CVE-2026-40046

History

Sat, 11 Apr 2026 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40046 https://www.cve.org/CVERecord?id=CVE-2026-40046
Metrics	threat_severity `None`	threat_severity `Moderate`

Fri, 10 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache activemq Apache activemq Mqtt
Vendors & Products		Apache Apache activemq Apache activemq Mqtt

Thu, 09 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
Title		Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated
Weaknesses		CWE-190
References		https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg https://www.cve.org/CVERecord?id=CVE-2025-66168

Subscriptions

Apache Activemq Activemq Mqtt

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-09T15:58:32.966Z

Updated: 2026-04-10T19:41:00.618Z

Reserved: 2026-04-08T15:21:53.253Z

Link: CVE-2026-40046

Vulnrichment

Updated: 2026-04-10T19:38:51.473Z

NVD

Status : Received

Published: 2026-04-09T17:16:31.650

Modified: 2026-04-10T20:16:22.430

Link: CVE-2026-40046

Redhat

Severity : Moderate

Publid Date: 2026-04-09T15:58:32Z

Links: CVE-2026-40046 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-10T09:32:19Z

Weaknesses

CWE-190

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object