DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-40046: CVE-2026-40046: Integer Overflow and Protocol Smuggling in Apache ActiveMQ MQTT Decoder

#security #cve #cybersecurity

CVE-2026-40046: Integer Overflow and Protocol Smuggling in Apache ActiveMQ MQTT Decoder

Vulnerability ID: CVE-2026-40046
CVSS Score: 8.8
Published: 2026-04-09

CVE-2026-40046 is an integer overflow vulnerability in the MQTT transport module of Apache ActiveMQ versions 6.0.0 through 6.2.3. The flaw stems from a failure to enforce the specification-defined maximum byte length for the MQTT 'Remaining Length' header. Attackers can exploit this logic error to trigger protocol desynchronization, perform command smuggling, and cause denial-of-service conditions. This vulnerability is a regression of CVE-2025-66168, which was patched in the 5.19.x branch but inadvertently omitted from the 6.x release line.

TL;DR

Apache ActiveMQ 6.0.0-6.2.3 fails to enforce length constraints in its MQTT packet decoder due to a missing patch. Attackers can send malformed headers to cause protocol desynchronization, enabling MQTT command smuggling and application-layer denial-of-service attacks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-190
  • Attack Vector: Network
  • CVSS Score: 8.8
  • EPSS Score: 0.00017
  • Impact: Denial of Service, Protocol Smuggling
  • Exploit Status: Functional PoC Available

Affected Systems

  • Apache ActiveMQ 6.0.0
  • Apache ActiveMQ 6.1.0
  • Apache ActiveMQ 6.2.0
  • Apache ActiveMQ 6.2.1
  • Apache ActiveMQ 6.2.2
  • Apache ActiveMQ 6.2.3
  • Apache ActiveMQ: >= 6.0.0, <= 6.2.3 (Fixed in: 6.2.4)

Mitigation Strategies

  • Upgrade Apache ActiveMQ to patched versions (6.2.4 or 5.19.2+)
  • Disable the MQTT transport connector in activemq.xml if not in use
  • Deploy an MQTT-aware WAF or IPS to validate strict protocol adherence

Remediation Steps:

  1. Identify all deployed instances of Apache ActiveMQ and verify the running version.
  2. Review activemq.xml to determine if the MQTT transport connector is enabled.
  3. Download and install ActiveMQ version 6.2.4 for 6.x deployments, or 5.19.2 for 5.x deployments.
  4. If patching is delayed, comment out the <transportConnector name="mqtt" ... /> line in activemq.xml and restart the broker.
  5. Implement network monitoring for anomalous MQTT connections, specifically packets with oversized length headers.

References

Read the full report for CVE-2026-40046 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)