CVE-2026-40046
Published: 09 April 2026
Summary
CVE-2026-40046 is a high-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Apache ActiveMQ (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of known flaws like this integer overflow vulnerability by applying patches or upgrades to fixed ActiveMQ versions.
Requires validation of untrusted inputs such as MQTT control packet remaining length fields to prevent integer overflows and wraparounds.
Implements protections against denial-of-service attacks exploiting this vulnerability through crafted packets causing crashes or resource exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing MQTT service allows unauthenticated network attacker to send crafted packet triggering integer overflow for DoS; directly maps to exploiting public-facing app (T1190) and application/system exploitation for endpoint DoS (T1499.004).
NVD Description
Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed…
more
for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.
Deeper analysisAI
CVE-2026-40046 is an Integer Overflow or Wraparound vulnerability (CWE-190) affecting the MQTT component in Apache ActiveMQ, Apache ActiveMQ All, and Apache ActiveMQ MQTT. It stems from a missed application of the fix for CVE-2025-66168, which addressed improper validation of the MQTT control packet remaining length field. The vulnerability impacts Apache ActiveMQ versions from 6.0.0 before 6.2.4, as well as the corresponding versions of Apache ActiveMQ All and Apache ActiveMQ MQTT.
An unauthenticated attacker with network access can exploit this vulnerability due to its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By sending a specially crafted MQTT control packet, the attacker triggers an integer overflow or wraparound, leading to a denial-of-service condition through application crashes or resource exhaustion.
The Apache security advisory recommends upgrading to Apache ActiveMQ version 6.2.4 or to a 5.19.x version starting from 5.19.2 (with the latest being 5.19.5), which include the proper fix for the MQTT validation issue. Additional details are available in the official announcement and related mailing list thread.
Details
- CWE(s)