{
  "threat_severity" : "Moderate",
  "public_date" : "2026-04-09T15:58:32Z",
  "bugzilla" : {
    "description" : "org.apache.activemq/apache-activemq: org.apache.activemq/activemq-all: org.apache.activemq/activemq-mqtt: MQTT control packet remaining length field is not properly validated (missing fix for CVE-2025-66168)",
    "id" : "2456950",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2456950"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-190",
  "details" : [ "Integer Overflow or Wraparound vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT.\nThe fix for \"CVE-2025-66168: MQTT control packet remaining length field is not properly validated\" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versions.\nThis issue affects Apache ActiveMQ: from 6.0.0 before 6.2.4; Apache ActiveMQ All: from 6.0.0 before 6.2.4; Apache ActiveMQ MQTT: from 6.0.0 before 6.2.4.\nUsers are recommended to upgrade to version 6.2.4 or a 5.19.x version starting with 5.19.2 or later (currently latest is 5.19.5), which fixes the issue.", "A flaw was found in Apache ActiveMQ, Apache ActiveMQ All and Apache ActiveMQ MQTT. The fix for CVE-2025-66168 was not applied for 6.0.0+ versions. This exposed the underlying integer overflow/wraparound vulnerability when handling MQTT control packets, causing the broker to misinterpret payloads and leading to unexpected behavior when interacting with non-compliant clients." ],
  "statement" : "This issue specifically affects Apache ActiveMQ, Apache ActiveMQ All and Apache ActiveMQ MQTT versions from 6.0.0 before 6.2.4. These versions are not shipped in any Red Hat product.",
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "activemq-all",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "activemq-mqtt",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "activemq-mqtt",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "activemq-mqtt",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40046\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40046\nhttps://activemq.apache.org/security-advisories.data/CVE-2026-40046-announcement.txt\nhttps://lists.apache.org/thread/zdntj5rcgjjzrpow84o339lzldy68zrg\nhttps://www.cve.org/CVERecord?id=CVE-2025-66168" ],
  "name" : "CVE-2026-40046",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}