CVE-2025-66168

EUVD-2025-208266
WARNING:

Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases.

See the  following for more details:
 https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt 
 https://www.cve.org/CVERecord?id=CVE-2026-40046 



Original Report:

Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted.

This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0

Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
apacheactivemq
𝑥
< 5.19.2
apacheactivemq
6.0.0 ≤
𝑥
≤ 6.1.8
apacheactivemq
6.2.0
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
activemq
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt
https://lists.apache.org/thread/13n8mkrb2jf2y6yyhpgrkmpqcm7djyto
https://www.cve.org/CVERecord?id=CVE-2026-40046
http://www.openwall.com/lists/oss-security/2026/03/03/5