Memory Exhaustion in Apache ActiveMQ Products Due to TLSv1.3 Handshake Issues
CVE-2026-39304

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Client; Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-39304?

An Out of Memory vulnerability has been identified in Apache ActiveMQ products due to improper handling of TLSv1.3 handshake KeyUpdates initiated by clients. This flaw allows a client to rapidly trigger these updates, leading to exhausting memory resources in the SSL engine of the broker, resulting in a Denial of Service condition. Notably, prior versions of TLS (like TLSv1.2) experience different issues, such as connection hangs, but are not susceptible to Out of Memory errors. Apache strongly recommends upgrading to versions 6.2.4 or 5.19.5 to mitigate this issue.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.4

Apache ActiveMQ 6.0.0 < 6.2.4

Apache ActiveMQ All 0 < 5.19.4

References

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-39304 Data

JSON