CVE-2026-40046: Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT vulnerable to Integer Overflow or Wraparound

April 9, 2026 (updated April 10, 2026)

The fix for “CVE-2025-66168: MQTT control packet remaining length field is not properly validated” was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

References

activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt
github.com/advisories/GHSA-xvqc-pp94-fmpx
lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg
nvd.nist.gov/vuln/detail/CVE-2026-40046
www.cve.org/CVERecord?id=CVE-2025-66168

Code Behaviors & Features

Detect and mitigate CVE-2026-40046 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →