CVE-2026-50734
Received Received - Intake

Memory Allocation DoS in Apache ActiveMQ

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-50734
EUVD
EUVD-2026-40282

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apache activemq_client From 6.0.0 (inc) to 6.2.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.7 (exc)
apache activemq_all From 6.0.0 (inc) to 6.2.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Memory Allocation with Excessive Size Value issue in Apache ActiveMQ Client and Apache ActiveMQ. An unauthenticated attacker can send a specially crafted WireFormatInfo frame containing a maliciously large size value. Because this size value is not validated, the broker attempts to allocate a very large amount of memory during the pre-authentication negotiation phase. This can lead to an out-of-memory (OOM) condition and cause the broker to crash.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition on the Apache ActiveMQ broker. An attacker can cause the broker to crash by exhausting its memory resources, disrupting messaging services and potentially causing downtime or loss of availability for applications relying on the broker.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache ActiveMQ Client, Apache ActiveMQ, or Apache ActiveMQ All to version 6.2.7 or 5.19.8, which contain the fix for this issue.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring network traffic for suspicious WireFormatInfo frames that contain excessively large size values during the pre-authentication negotiation phase with Apache ActiveMQ brokers.

Since the vulnerability involves an unauthenticated attacker sending a crafted WireFormatInfo frame, you can use network packet capture tools like tcpdump or Wireshark to capture and analyze OpenWire protocol frames to identify unusually large size values.

  • Use tcpdump to capture traffic on the ActiveMQ port (default 61616): tcpdump -i <interface> port 61616 -w activemq_traffic.pcap
  • Open the capture file in Wireshark and filter for WireFormatInfo frames to inspect the size values.
  • Alternatively, use scripting or custom parsers to detect WireFormatInfo frames with size values exceeding normal thresholds.

Additionally, monitoring broker logs for out-of-memory errors or crashes during connection attempts can help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50734. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart