Description
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.


An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated client that opens a STOMP NIO connection can send an unbounded stream of header bytes that never terminate. The broker then allocates buffer space for those bytes without any limit, which can exhaust the JVM heap and destabilize the instance. The vulnerability is a memory allocation with excessive size issue (CWE-789) that effectively causes a denial of service, potentially affecting all broker operations. The described attack does not require authentication, which makes it highly exploitable from any network that can reach a STOMP endpoint.

Affected Systems

Apache Software Foundation product web pages indicate that all three products—Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ Stomp—are affected when the version is older than 5.19.8 or older than 6.2.7. Users running any impacted release prior to the specified patch versions are at risk. No other sub‑product variants or versions are mentioned in the advisory.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, while EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw permits an unauthenticated client to send an infinite header stream, it can exhaust the JVM heap and cause the broker to crash or become unresponsive. The attack requires only a valid STOMP connection and no privileged state, making it straightforward for any remote actor with network access to launch the denial. Until the update is applied, the threat remains present.

Generated by OpenCVE AI on June 30, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache ActiveMQ, Apache ActiveMQ All, or Apache ActiveMQ Stomp to the minimum recommended version 5.19.8 or 6.2.7. The update includes the fix that bounds header buffer size and prevents heap exhaustion.
  • Until the upgrade can be performed, restrict inbound STOMP NIO traffic to trusted hosts or segment the network so that only authorized applications can open STOMP connections. This limits the opportunity for an unauthenticated attacker to reach the vulnerable interface.
  • Monitor JVM heap usage and broker health metrics via JMX, logs, or observability tools. An abnormal rise in memory consumption or frequent broker restarts can be a sign of an ongoing exploit attempt.

Generated by OpenCVE AI on June 30, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Important


Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Title Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec
Weaknesses CWE-789
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T15:58:46.098Z

Reserved: 2026-06-11T14:36:08.703Z

Link: CVE-2026-53916

cve-icon Vulnrichment

Updated: 2026-06-30T11:06:21.374Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-30T09:49:55Z

Links: CVE-2026-53916 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:45:04Z

Weaknesses
  • CWE-789

    Memory Allocation with Excessive Size Value