Zero Day MonitorZDM

← Back to list

—

CVE-2026-40046PATCHED

apache software foundation · apache activemq

Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Description

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

Affected Products

Vendor	Product	Versions
apache software foundation	apache activemq	6.0.0, 6.0.0, 6.0.0

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
apache	activemq	cert_advisory	90%

References

https://www.cve.org/CVERecord?id=CVE-2025-66168(related)
https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt(vendor-advisory)
https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg(vendor-advisory)

Related News (2 articles)

Tier B

BSI Advisories3h ago

[NEU] [mittel] Apache ActiveMQ: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

oss-security19h ago

CVE-2026-40046: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

6.2.4

CWECWE-190

PublishedApr 9, 2026

Trending Score31

Source articles2

Independent2

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34500

Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled

IMPORTANTCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

NONECVE-2026-24880

Apache Tomcat: Request smuggling via invalid chunk extension

NONECVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

NONECVE-2026-25854

Apache Tomcat: Occasionally open redirect

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 9, 2026

Discovered by ZDM

Apr 9, 2026

Patch Available

Apr 9, 2026