{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40046", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-08T15:21:53.253Z", "datePublished": "2026-04-09T15:58:32.966Z", "dateUpdated": "2026-04-10T19:41:00.618Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-all", "product": "Apache ActiveMQ All", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}, {"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:activemq-mqtt", "product": "Apache ActiveMQ MQTT", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "6.2.4", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Adrien Bernard"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>\n\n</p><p>Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.</p>The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.<br><p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.</span>\n\n</p><p>Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.</p><p></p>"}], "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:58:32.966Z"}, "references": [{"tags": ["related"], "url": "https://www.cve.org/CVERecord?id=CVE-2025-66168"}, {"tags": ["vendor-advisory"], "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt"}, {"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T19:39:38.679321Z", "id": "CVE-2026-40046", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T19:41:00.618Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40046", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T19:39:38.679321Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T19:38:51.473Z"}}], "cna": {"title": "Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Adrien Bernard"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:apache-activemq", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ All", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-all", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}, {"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ MQTT", "versions": [{"status": "affected", "version": "6.0.0", "lessThan": "6.2.4", "versionType": "semver"}], "packageName": "org.apache.activemq:activemq-mqtt", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cve.org/CVERecord?id=CVE-2025-66168", "tags": ["related"]}, {"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt", "tags": ["vendor-advisory"]}, {"url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>\n\n</p><p>Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.</p>The fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.<br><p>\n\n<span style=\"background-color: rgb(255, 255, 255);\">This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.</span>\n\n</p><p>Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.</p><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:58:32.966Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40046", "state": "PUBLISHED", "dateUpdated": "2026-04-10T19:41:00.618Z", "dateReserved": "2026-04-08T15:21:53.253Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T15:58:32.966Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue."}], "id": "CVE-2026-40046", "lastModified": "2026-04-13T15:02:27.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T17:16:31.650", "references": [{"source": "security@apache.org", "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt"}, {"source": "security@apache.org", "url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg"}, {"source": "security@apache.org", "url": "https://www.cve.org/CVERecord?id=CVE-2025-66168"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "org.apache.activemq/apache-activemq: org.apache.activemq/activemq-all: org.apache.activemq/activemq-mqtt: MQTT control packet remaining length field is not properly validated (missing fix for CVE-2025-66168)", "id": "2456950", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456950"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-190", "details": ["A flaw was found in Apache ActiveMQ, Apache ActiveMQ All and Apache ActiveMQ MQTT. The fix for CVE-2025-66168 was not applied for 6.0.0+ versions. This exposed the underlying integer overflow/wraparound vulnerability when handling MQTT control packets, causing the broker to misinterpret payloads and leading to unexpected behavior when interacting with non-compliant clients."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-40046", "package_state": [{"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "activemq-all", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "activemq-mqtt", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "activemq-mqtt", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "activemq-mqtt", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-09T15:58:32Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40046\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40046\nhttps://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt\nhttps://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg\nhttps://www.cve.org/CVERecord?id=CVE-2025-66168"], "statement": "This issue specifically affects Apache ActiveMQ, Apache ActiveMQ All and Apache ActiveMQ MQTT versions from 6.0.0 before 6.2.4. These versions are not shipped in any Red Hat product.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache ActiveMQ", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "activemq", "vendor": "apache"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.0.0,6.2.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "activemq_mqtt", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-10T21:24:39.371200+00:00", "value": {"mitigation_remediation": ["Upgrade Apache ActiveMQ to version 6.2.4 or a 5.19.x release starting with 5.19.2 (currently 5.19.5) to apply the official fix.", "If an immediate upgrade is not possible, block or monitor the MQTT control port from untrusted networks to reduce the attack surface.", "Apply generic best practices such as regular patch management, network segmentation, and access controls to limit exposure of the broker."], "summary": {"action": "Immediate Patch", "impact": "Potential Denial of Service and memory corruption"}, "threat_synthesis": {"affected_systems": "All deployments running Apache ActiveMQ versions starting with 6.0.0 up to, but not including, 6.2.4 are affected. Versions 6.2.4 and later, as well as all 5.19.x releases starting with 5.19.2, include the fix that prevents the integer overflow. The advisory also notes that 5.19.1 and earlier were not explicitly confirmed as vulnerable, so users of those sub\u20115.19 releases should verify their patch status.", "description_and_impact": "Apache ActiveMQ, ActiveMQ All, and ActiveMQ MQTT suffer an integer overflow or wraparound error when parsing the remaining length field of an MQTT control packet. This flaw allows an attacker to craft a malformed packet that can corrupt memory during packet processing. The resulting data corruption may crash the broker or, in the worst case, lead to uncontrolled execution of code or other integrity violations. The vulnerability is identified as CWE\u2011190. The description lists a CVSS score of 7.5, indicating a high\u2011impact potential if exploited.", "risk_and_exploitability": "The CVSS rating of 7.5 reflects a significant severity, but the EPSS score of less than 1% suggests that the likelihood of exploitation in the wild is low at present. The flaw is not listed in the CISA KEV catalog, implying no known public exploits. Attackers would need to send a specially crafted MQTT packet to a vulnerable broker, likely over an open or untrusted network. While authentication may still be required for certain packet types, the vulnerability itself does not expose authentication bypass, but an attacker could potentially disrupt services or compromise memory after successfully sending the malicious packet."}}}}, "created": "2026-04-10T08:53:07.115661+00:00", "updated": "2026-04-13T13:06:50.167061+00:00", "vendors": ["apache", "apache$PRODUCT$activemq", "apache$PRODUCT$activemq_mqtt"]}