CVE-2026-39304

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Apache ActiveMQ Client versions before 5.19.4, from 6.0.0 through 6.2.3 Apache ActiveMQ Broker versions before 5.19.4, from 6.0.0 through 6.2.3 Apache ActiveMQ versions before 5.19.4, from 6.0.0 through 6.2.3

Description A denial of service issue exists due to out-of-memory conditions in Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ. The vulnerability occurs because NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates initiated by clients, leading to rapid updates that exhaust the broker's memory in the SSL engine, resulting in a denial of service. TLS versions prior to TLSv1.3 are not vulnerable to out-of-memory conditions, but may cause connection hangs.

Recommendations Upgrade to version 6.2.4 or 5.19.5 to resolve the issue.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BIT-ACTIVEMQ-2026-39304

CVE-2026-39304

GHSA-5568-6QCG-G7FX

OESA-2026-2124

OESA-2026-2125

OESA-2026-2126

OESA-2026-2127

Affected Products

Apache Activemq

Apache Activemq Broker

Apache Activemq Client

CVE-2026-39304

Weakness Enumeration

Related Identifiers

Affected Products

References · 31