CVE-2026-40046
Received Received - Intake
Integer Overflow in Apache ActiveMQ MQTT Allows Potential Exploitation

Publication date: 2026-04-09

Last updated on: 2026-04-10

Assigner: Apache Software Foundation

Description
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40046
EUVD
EUVD-2026-20956
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
apache activemq From 5.19.2 (inc)
apache activemq 5.19.*
apache activemq to 6.2.4 (exc)
apache activemq 6.2.4
apache activemq_all to 6.2.4 (exc)
apache activemq_all 6.2.4
apache activemq_mqtt to 6.2.4 (exc)
apache activemq_mqtt 6.2.4
apache activemq From 6.0.0 (inc) to 6.2.4 (exc)
apache activemq_all From 6.0.0 (inc) to 6.2.4 (exc)
apache activemq_mqtt From 6.0.0 (inc) to 6.2.4 (exc)
apache activemq *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability is a moderate severity Integer Overflow or Wraparound issue in Apache ActiveMQ versions 6.0.0 up to but not including 6.2.4, including Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT components.

It arises because a fix for a related vulnerability was not applied to these versions, leaving them vulnerable to improper validation of the MQTT control packet remaining length field.

If exploited, this could potentially lead to unexpected behavior or security issues in the affected software, which may impact the reliability and security of messaging services relying on these versions.

Users are recommended to upgrade to version 6.2.4 or to a 5.19.x version starting from 5.19.2 or later to remediate this issue.

Executive Summary

CVE-2026-40046 is a moderate severity Integer Overflow or Wraparound vulnerability affecting Apache ActiveMQ versions 6.0.0 up to but not including 6.2.4, including Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT components.

This vulnerability exists because a fix for a related issue (CVE-2025-66168), which addressed improper validation of the MQTT control packet remaining length field, was applied only to the 5.19.2 and later 5.19.x releases but was missed in all 6.0.0+ versions. Therefore, versions from 6.0.0 before 6.2.4 remain vulnerable.

Users are recommended to upgrade to version 6.2.4 or to a 5.19.x version starting from 5.19.2 (latest 5.19.5) to fix this issue.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache ActiveMQ to version 6.2.4 or later.

Alternatively, users can upgrade to a 5.19.x version starting from 5.19.2 (latest is 5.19.5), which also includes the fix.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40046. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart