Do Son 
Apache ActiveMQ, a cornerstone of multi-platform application integration, has released critical updates to address vulnerabilities that could lead to widespread service disruptions. The disclosures highlight issues ranging from memory-exhaustion attacks to missed security regressions in the MQTT protocol.
The most critical of the new disclosures is CVE-2026-39304, an Important-rated vulnerability that affects how the broker handles modern encryption protocols. Analysts discovered that the ActiveMQ NIO SSL transports do not correctly process TLSv1.3 KeyUpdate requests triggered by clients.
This flaw allows a malicious client to rapidly trigger updates, forcing the broker to exhaust its memory within the SSL engine. The result is a total Denial of Service (DoS) via an Out of Memory (OOM) condition. While older versions of TLS like v1.2 are not susceptible to the OOM crash, they are still impacted by connection hangs during renegotiation.
The second issue, CVE-2026-40046, highlights a regression in the 6.0.0 release line. A previous security fix designed to validate the “remaining length” field in MQTT control packets (originally tracked as CVE-2025-66168) was successfully applied to older 5.19.x branches but was inadvertently omitted from all versions in the 6.0.0+ series. This oversight re-introduced an Integer Overflow vulnerability for users on the newer release track.
Administrators are advised to inventory their broker versions and apply the following updates:
- 6.x Users: Upgrade to version 6.2.4 or later.
- 5.x Users: Ensure you are running at least version 5.19.5 to address both the TLS and MQTT issues.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
