Integer overflow in Apache Software Foundation Activemq

CVE-2026-40046

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and…

Vulnerability class: Integer Overflow

EPSS: 0.001 (17.2th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Activemq — versions 6.0.0
Apache Software Foundation Activemq All — versions 6.0.0
Apache Software Foundation Activemq Mqtt — versions 6.0.0

Weakness classification (CWE)

CWE-190 — Integer Overflow or Wraparound

References

www.cve.org/CVERecord (related)
activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt (vendor-advisory)
lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg (vendor-advisory)