CVE-2026-40046
Integer Overflow in Apache ActiveMQ MQTT Allows Potential Exploitation
Publication date: 2026-04-09
Last updated on: 2026-04-10
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq | From 5.19.2 (inc) |
| apache | activemq | 5.19.* |
| apache | activemq | to 6.2.4 (exc) |
| apache | activemq | 6.2.4 |
| apache | activemq_all | to 6.2.4 (exc) |
| apache | activemq_all | 6.2.4 |
| apache | activemq_mqtt | to 6.2.4 (exc) |
| apache | activemq_mqtt | 6.2.4 |
| apache | activemq | From 6.0.0 (inc) to 6.2.4 (exc) |
| apache | activemq_all | From 6.0.0 (inc) to 6.2.4 (exc) |
| apache | activemq_mqtt | From 6.0.0 (inc) to 6.2.4 (exc) |
| apache | activemq | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40046 is a moderate severity Integer Overflow or Wraparound vulnerability affecting Apache ActiveMQ versions 6.0.0 up to but not including 6.2.4, including Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT components.
This vulnerability exists because a fix for a related issue (CVE-2025-66168), which addressed improper validation of the MQTT control packet remaining length field, was applied only to the 5.19.2 and later 5.19.x releases but was missed in all 6.0.0+ versions. Therefore, versions from 6.0.0 before 6.2.4 remain vulnerable.
Users are recommended to upgrade to version 6.2.4 or to a 5.19.x version starting from 5.19.2 (latest 5.19.5) to fix this issue.
How can this vulnerability impact me? :
This vulnerability is a moderate severity Integer Overflow or Wraparound issue in Apache ActiveMQ versions 6.0.0 up to but not including 6.2.4, including Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT components.
It arises because a fix for a related vulnerability was not applied to these versions, leaving them vulnerable to improper validation of the MQTT control packet remaining length field.
If exploited, this could potentially lead to unexpected behavior or security issues in the affected software, which may impact the reliability and security of messaging services relying on these versions.
Users are recommended to upgrade to version 6.2.4 or to a 5.19.x version starting from 5.19.2 or later to remediate this issue.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache ActiveMQ to version 6.2.4 or later.
Alternatively, users can upgrade to a 5.19.x version starting from 5.19.2 (latest is 5.19.5), which also includes the fix.