CVE-2026-39304
Received Received - Intake
Out of Memory DoS in Apache ActiveMQ TLSv1.3 NIO SSL

Publication date: 2026-04-10

Last updated on: 2026-05-01

Assigner: Apache Software Foundation

Description
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-04-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-39304
EUVD
EUVD-2026-21362
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.4 (exc)
apache activemq_broker to 5.19.4 (exc)
apache activemq From 6.0.0 (inc) to 6.2.4 (exc)
apache activemq_broker From 6.0.0 (inc) to 6.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-39304 is a Denial of Service (DoS) vulnerability in Apache ActiveMQ components including the Client, Broker, and the overall ActiveMQ system.

The issue arises because the ActiveMQ NIO SSL transports do not properly handle TLSv1.3 handshake KeyUpdates triggered by clients. A malicious client can rapidly trigger these KeyUpdates, causing the broker's SSL engine to consume all available memory, leading to an Out of Memory (OOM) condition.

This OOM condition results in a Denial of Service, making the broker unable to process legitimate requests.

Earlier TLS versions like TLSv1.2 have broken handling but do not cause OOM; instead, they cause connection hangs due to full handshake renegotiations.

The vulnerability affects Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4, and it has been fixed in versions 6.2.4 and 5.19.5.


How can this vulnerability impact me? :

This vulnerability can cause a Denial of Service (DoS) on Apache ActiveMQ brokers by exhausting the broker's memory through rapid TLSv1.3 KeyUpdate requests.

As a result, the broker may become unresponsive or crash, disrupting messaging services that rely on ActiveMQ for communication.

This disruption can affect applications and systems dependent on ActiveMQ for message delivery, potentially causing downtime and loss of service availability.


What immediate steps should I take to mitigate this vulnerability?

The immediate step to mitigate this vulnerability is to upgrade Apache ActiveMQ components to versions that have fixed the issue.

  • Upgrade to Apache ActiveMQ version 6.2.4 or later.
  • Upgrade to Apache ActiveMQ version 5.19.5 or later.

These versions address the improper handling of TLSv1.3 handshake KeyUpdates that cause the broker to exhaust memory and lead to a Denial of Service.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart