Integer Overflow Vulnerability in Apache ActiveMQ and MQTT by Apache
CVE-2026-40046

Currently unrated

Key Information:

Vendor

Apache
Status
Apache ActiveMQ
Apache ActiveMQ All
Apache ActiveMQ MQtt
Vendor
CVE Published:
9 April 2026

What is CVE-2026-40046?

A vulnerability in Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT allows for potential integer overflow or wraparound issues. This vulnerability arises from the inadequately validated MQTT control packet remaining length field, which affects versions prior to 6.2.4. Users are advised to upgrade to version 6.2.4 or any 5.19.x release starting from 5.19.2 or later to ensure security against this issue.

Affected Version(s)

Apache ActiveMQ 6.0.0 < 6.2.4

Apache ActiveMQ All 6.0.0 < 6.2.4

Apache ActiveMQ MQTT 6.0.0 < 6.2.4

References

https://www.cve.org/CVERecord?id=CVE-2025-66168
related
https://activemq.apache.org/security-advisories.data/CVE-...
vendor-advisory
https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzl...
vendor-advisory

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adrien Bernard
.