PT-2026-31651 · Apache · Apache Activemq

Adrien Bernard

Published

2026-03-04

Updated

2026-05-03

CVE-2026-40046

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ versions 6.0.0 through 6.1.8, 6.2.0, and prior to 5.19.2

Description An integer overflow or wraparound issue exists in Apache ActiveMQ when decoding malformed packets. This occurs due to improper validation of the remaining length field in MQTT control packets, potentially leading to misinterpretation of the payload and unexpected broker behavior when interacting with non-compliant clients. The issue violates the MQTT v3.1.1 specification, which limits the Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after authentication. Brokers not using MQTT transport connectors are not impacted.

Recommendations Upgrade to version 5.19.2 or later. Upgrade to version 6.1.9. Upgrade to version 6.2.1. Upgrade to version 6.2.4 or later.

Fix

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

BIT-ACTIVEMQ-2025-66168

BIT-ACTIVEMQ-2026-40046

CVE-2026-40046

GHSA-C825-6PH3-4H84

GHSA-XVQC-PP94-FMPX

OESA-2026-2124

OESA-2026-2125

OESA-2026-2126

OESA-2026-2127

Affected Products

Apache Activemq

PT-2026-31651 · Apache · Apache Activemq

CVE-2026-40046

Weakness Enumeration

Related Identifiers

Affected Products

References · 31