CVE-2026-39304
Published: 10 April 2026
Summary
CVE-2026-39304 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Apache Activemq. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely remediation through patching Apache ActiveMQ to versions 5.19.5 or 6.2.4 that fix improper TLSv1.3 KeyUpdate handling.
Implements denial-of-service protections to block or limit rapid client-triggered TLSv1.3 KeyUpdates that exhaust memory in the ActiveMQ SSL engine.
Enforces resource allocation limits on memory to prevent exhaustion caused by excessive allocations in the SSL engine during repeated TLS handshakes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of a public-facing ActiveMQ broker via network access to trigger memory exhaustion in the SSL engine through repeated TLSv1.3 KeyUpdate messages, directly mapping to T1190 (Exploit Public-Facing Application, which includes DoS) and T1499.004 (Application or System Exploitation under Endpoint Denial of Service).
NVD Description
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly…
more
trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
Deeper analysisAI
CVE-2026-39304 is a denial-of-service vulnerability caused by an out-of-memory condition in the Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ. The issue stems from the NIO SSL transports failing to properly handle TLSv1.3 handshake KeyUpdates initiated by clients, allowing rapid triggering of updates that exhaust the broker's memory in the SSL engine. It affects Apache ActiveMQ Client versions before 5.19.4 and from 6.0.0 before 6.2.4, as well as the Broker and ActiveMQ in the same version ranges. Older TLS versions prior to 1.3 are also mishandled but do not lead to out-of-memory conditions, though these issues are addressed in the fix.
A remote, unauthenticated attacker with network access can exploit this vulnerability by connecting to an affected ActiveMQ instance over TLSv1.3 and repeatedly sending KeyUpdate messages during the handshake. This forces the broker to allocate excessive memory in its SSL engine, resulting in memory exhaustion and denial of service. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high availability impact with low attack complexity and no privileges required.
The Apache security advisory and related announcements recommend upgrading to Apache ActiveMQ versions 5.19.5 or 6.2.4, which resolve the improper handling of TLSv1.3 KeyUpdates and fixes for pre-TLSv1.3 behaviors. Details are available in the official announcement at https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/17.
Details
- CWE(s)