Memory Allocation Vulnerability in Apache ActiveMQ and Related Products
CVE-2026-53917

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ; Apache ActiveMQ All; Apache ActiveMQ Client; Apache ActiveMQ Broker
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-53917?

A vulnerability has been identified in Apache ActiveMQ and its associated products that allows authenticated users to exploit the system by sending specially crafted OpenWire Messages. These messages can contain an excessively large encoded size value for a map, leading to a denial of service (DoS) condition. The affected message property maps are unmarshaled without proper size validation, which may result in an out-of-memory (OOM) situation that crashes the broker. To mitigate this issue, users are advised to upgrade to version 6.2.7 or 5.19.8, where the vulnerability has been addressed.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.8

Apache ActiveMQ 6.0.0 < 6.2.7

Apache ActiveMQ All 0 < 5.19.8

References

https://lists.apache.org/thread/grrd1mwgkgblqjbwkkq6dvmdx...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 11, 2026

Credit

tonghuaroot

CVE-2026-53917 Data

JSON