JVN#20669184
Apache ActiveMQ series improper validation of MQTT packets [AMQ-9810]
Overview
Apache ActiveMQ series provided by The Apache Software Foundation does not properly validate MQTT packets.
Products Affected
- Apache ActiveMQ 5.x versions prior to 5.19.2, 6.x versions prior to 6.2.4
- Apache ActiveMQ All module 5.x versions prior to 5.19.2, 6.x versions prior to 6.2.4
- Apache ActiveMQ MQTT module 5.x versions prior to 5.19.2, 6.x versions prior to 6.2.4
Description
Apache ActiveMQ series provided by The Apache Software Foundation does not properly validate the remaining length field of MQTT packets, which may lead to integer overflow and misinterpretation of MQTT packets.
- Integer overflow or wraparound (CWE-190)
- CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Base Score 5.3
- CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Base Score 5.4
- CVE-2025-66168, CVE-2026-40046
Impact
Processing a crafted MQTT packet may lead to misinterpretation of the packet and unexpected behavior.
Solution
Update the Software
Update the software to the latest version according to the information provided by the developer.
Vendor Status
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Credit
Gai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability in version 6.2.0 to the developer and IPA under Information Security Early Warning Partnership.
JPCERT/CC coordinated with the developer to publish the advisory.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
|
| JVN iPedia |
JVNDB-2026-006408 |