{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40046", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-08T15:21:53.253Z", "datePublished": "2026-04-09T15:58:32.966Z", "dateUpdated": "2026-04-10T19:41:00.618Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-all", "product": "Apache ActiveMQ All", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-mqtt", "product": "Apache ActiveMQ MQTT", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Adrien Bernard"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\n</p><p>Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.</p>The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.<br><p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.</span>\n\n</p><p>Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.</p><p></p>"}], "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:58:32.966Z"}, "references": [{"tags": ["related"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-66168"}, {"tags": ["vendor-advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T19:39:38.679321Z", "id": "CVE-2026-40046", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T19:41:00.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Adrien Bernard"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:apache-activemq", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ All", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-all", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ MQTT", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-mqtt", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2025-66168", "tags": ["related"]}, {"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>\n\n</p><p>Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.</p>The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.<br><p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.</span>\n\n</p><p>Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.</p><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:58:32.966Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T19:39:38.679321Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-10T19:38:51.473Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-40046", "state": "PUBLISHED", "dateUpdated": "2026-04-09T15:58:32.966Z", "dateReserved": "2026-04-08T15:21:53.253Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T15:58:32.966Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue."}], "id": "CVE-2026-40046", "lastModified": "2026-04-10T20:16:22.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T17:16:31.650", "references": [{"source": "security@apache.org", "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg"}, {"source": "security@apache.org", "url": "https://www.cve.org/CVERecord?id=CVE-2025-66168"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache ActiveMQ", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "activemq", "vendor": "apache"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "activemq_mqtt", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T17:51:16.821655+00:00", "value": {"mitigation_remediation": ["Upgrade to Apache ActiveMQ 6.2.4 or any later 6.x release, or to any 5.19.x release starting with 5.19.2", "Confirm the broker\u2019s version and verify that the patch has been applied", "If an immediate upgrade is not possible, restrict MQTT traffic using firewall rules to reduce exposure until a patch can be applied"], "summary": {"action": "Patch immediately", "impact": "Integer overflow in MQTT packet handling may cause denial of service"}, "threat_synthesis": {"affected_systems": "The affected products are Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT released by the Apache Software Foundation. All 6.0.0 through 6.2.3 versions are vulnerable. Versions 6.0.0 to before 6.2.4 (inclusive) are impacted. The 5.19.x line is vulnerable only before 5.19.2; versions 5.19.2 and newer, including the current 5.19.5, contain the fix.", "description_and_impact": "An integer overflow or wraparound flaw exists in the handling of the MQTT control packet remaining length field. The vulnerability originates from a missing validation that was corrected only in 5.19.2 and later releases, but the patch was omitted in all 6.0.0 and higher releases up to 6.2.3. Using an unvalidated length field can lead to a corrupted packet parsing state, which in turn can crash the broker or render it unresponsive.", "risk_and_exploitability": "No CVSS score is published and the EPSS score is unavailable, but the common weakness (integer overflow) suggests a moderate to high risk. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation would require sending a specially crafted MQTT packet to the broker, which a remote actor can do by establishing a connection. Until the broker is updated, the system remains at risk of service interruption."}}}}, "created": "2026-04-10T08:53:07.115661+00:00", "updated": "2026-04-10T09:32:19.630928+00:00", "vendors": ["apache", "apache$PRODUCT$activemq", "apache$PRODUCT$activemq_mqtt"]}