Integer Overflow Vulnerability in Apache ActiveMQ and MQTT by Apache
CVE-2026-40046

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ; Apache ActiveMQ All; Apache ActiveMQ MQtt
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-40046?

A vulnerability in Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT allows for potential integer overflow or wraparound issues. This vulnerability arises from the inadequately validated MQTT control packet remaining length field, which affects versions prior to 6.2.4. Users are advised to upgrade to version 6.2.4 or any 5.19.x release starting from 5.19.2 or later to ensure security against this issue.

Affected Version(s)

Apache ActiveMQ 6.0.0 < 6.2.4

Apache ActiveMQ All 6.0.0 < 6.2.4

Apache ActiveMQ MQTT 6.0.0 < 6.2.4

References

https://www.cve.org/CVERecord?id=CVE-2025-66168

https://activemq.apache.org/security-advisories.data/CVE-...

vendor-advisory

https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzl...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Adrien Bernard

CVE-2026-40046 Data

JSON