CVE-2026-40046
Published: Apr 9, 2026
Modified: Apr 10, 2026
Description
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
| Vendor | Product | Versions |
|---|---|---|
Apache Software Foundation | Apache ActiveMQ | affected 6.0.0 - < 6.2.4 |
Apache Software Foundation | Apache ActiveMQ All | affected 6.0.0 - < 6.2.4 |
Apache Software Foundation | Apache ActiveMQ MQTT | affected 6.0.0 - < 6.2.4 |
Weaknesses (CWE)
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now