Home

Description

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

PUBLISHED Reserved 2026-04-08 | Published 2026-04-09 | Updated 2026-04-10 | Assigner apache

Problem types

CWE-190 Integer Overflow or Wraparound

Product status

Default status
unaffected

6.0.0 (semver) before 6.2.4
affected

Default status
unaffected

6.0.0 (semver) before 6.2.4
affected

Default status
unaffected

6.0.0 (semver) before 6.2.4
affected

Credits

Adrien Bernard finder

References

www.cve.org/CVERecord?id=CVE-2025-66168 related

activemq.apache.org/....data/CVE-2026-40046-announcement.txt vendor-advisory

lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg vendor-advisory

cve.org (CVE-2026-40046)

nvd.nist.gov (CVE-2026-40046)

Download JSON