Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT: Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated

Summary

CVE	CVE-2026-40046
State	PUBLISHED
Assigner	apache
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-09 17:16:31 UTC
Updated	2026-04-09 17:16:31 UTC
Description	Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

Risk And Classification

Problem Types: CWE-190 | CWE-190 CWE-190 Integer Overflow or Wraparound

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Apache Software Foundation	Apache ActiveMQ	affected 6.0.0 6.2.4 semver	Not specified
CNA	Apache Software Foundation	Apache ActiveMQ All	affected 6.0.0 6.2.4 semver	Not specified
CNA	Apache Software Foundation	Apache ActiveMQ MQTT	affected 6.0.0 6.2.4 semver	Not specified

References

Reference	Source	Link	Tags
activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt	[email protected]	activemq.apache.org
lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg	[email protected]	lists.apache.org
www.cve.org/CVERecord	[email protected]	www.cve.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Adrien Bernard (en)

There are currently no legacy QID mappings associated with this CVE.