Zero Day MonitorZDM

← Back to list

5.4

CVE-2025-66168PATCHED

apache · activemq

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectl

Description

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.

Affected Products

Vendor	Product	Versions
apache	activemq	< 5.19.2, <= 6.1.8

References

https://lists.apache.org/thread/13n8mkrb2jf2y6yyhpgrkmpqcm7djyto(Mailing List, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/03/03/5(Mailing List, Third Party Advisory)

Related News (2 articles)

Tier C

oss-security10h ago

CVE-2026-40046: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

→ No new info (linked only)

Tier B

BSI Advisories1d ago

[NEU] [mittel] Apache ActiveMQ, Client, Broker und Web: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available

5.19.2

CWECWE-190

PublishedMar 4, 2026

Last enriched8d ago

Tags

file manipulationcode executionauthenticated remote attack

Trending Score33

Source articles2

Independent2

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-34197EXP

Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Authenticated users could perform RCE via Jolokia MBeans

HIGHCVE-2026-34486EXP

Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor

HIGHCVE-2026-27314EXP

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

HIGHCVE-2025-62188EXP

Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.

LOWCVE-2026-34487EXP

Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 4, 2026

Patch Available

Mar 10, 2026

Discovered by ZDM

Apr 1, 2026