CVE-2025-66168: CWE-190 Integer Overflow or Wraparound in Apache Software Foundation Apache ActiveMQ
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 Original Report: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
AI Analysis
Technical Summary
Apache ActiveMQ versions before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 improperly validate the MQTT Remaining Length field, leading to an integer overflow during decoding of malformed MQTT packets. This overflow causes incorrect computation of the Remaining Length, resulting in misinterpretation of the payload as multiple MQTT control packets. This behavior violates the MQTT v3.1.1 specification and may cause unexpected broker behavior when interacting with non-compliant MQTT clients. The vulnerability manifests on established connections post-authentication and only affects brokers with MQTT transport connectors enabled.
Potential Impact
The integer overflow can cause the broker to misinterpret MQTT payloads, potentially leading to unexpected behavior when handling MQTT traffic from non-compliant clients. The impact is limited to confidentiality and integrity with low-level consequences (CVSS 5.4), and there is no indication of availability impact or known exploits in the wild. Brokers not using MQTT transport connectors are not affected.
Mitigation Recommendations
A fix is available. Users should upgrade Apache ActiveMQ to version 5.19.2, 6.1.9, or 6.2.1 or later to address this vulnerability. The advisory notes that users of 6.x should upgrade to 6.2.4 or later as the fix was missed in earlier 6.x releases. No additional mitigation steps are indicated beyond applying the official patches.
CVE-2025-66168: CWE-190 Integer Overflow or Wraparound in Apache Software Foundation Apache ActiveMQ
Description
WARNING: Users of 6.x should upgrade to 6.2.4 or later as the fix was missed in previous 6.x releases. See the following for more details: https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt https://www.cve.org/CVERecord?id=CVE-2026-40046 Original Report: Apache ActiveMQ does not properly validate the remaining length field which may lead to an overflow during the decoding of malformed packets. When this integer overflow occurs, ActiveMQ may incorrectly compute the total Remaining Length and subsequently misinterpret the payload as multiple MQTT control packets which makes the broker susceptible to unexpected behavior when interacting with non-compliant clients. This behavior violates the MQTT v3.1.1 specification, which restricts Remaining Length to a maximum of 4 bytes. The scenario occurs on established connections after the authentication process. Brokers that are not enabling mqtt transport connectors are not impacted. This issue affects Apache ActiveMQ: before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 Users are recommended to upgrade to version 5.19.2, 6.1.9, or 6.2.1, which fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache ActiveMQ versions before 5.19.2, 6.0.0 to 6.1.8, and 6.2.0 improperly validate the MQTT Remaining Length field, leading to an integer overflow during decoding of malformed MQTT packets. This overflow causes incorrect computation of the Remaining Length, resulting in misinterpretation of the payload as multiple MQTT control packets. This behavior violates the MQTT v3.1.1 specification and may cause unexpected broker behavior when interacting with non-compliant MQTT clients. The vulnerability manifests on established connections post-authentication and only affects brokers with MQTT transport connectors enabled.
Potential Impact
The integer overflow can cause the broker to misinterpret MQTT payloads, potentially leading to unexpected behavior when handling MQTT traffic from non-compliant clients. The impact is limited to confidentiality and integrity with low-level consequences (CVSS 5.4), and there is no indication of availability impact or known exploits in the wild. Brokers not using MQTT transport connectors are not affected.
Mitigation Recommendations
A fix is available. Users should upgrade Apache ActiveMQ to version 5.19.2, 6.1.9, or 6.2.1 or later to address this vulnerability. The advisory notes that users of 6.x should upgrade to 6.2.4 or later as the fix was missed in earlier 6.x releases. No additional mitigation steps are indicated beyond applying the official patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2025-11-21T20:44:42.659Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69a7f558d1a09e29cb1e371e
Added to database: 3/4/2026, 9:03:20 AM
Last enriched: 4/11/2026, 5:34:25 AM
Last updated: 4/19/2026, 9:21:36 AM
Views: 420
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.