CVE-2026-39304

EPSS 0.08%
Veröffentlicht 10.04.2026 10:54:04
Zuletzt bearbeitet 01.05.2026 15:21:36
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM

Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.

ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.

Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.
This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.

Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

NVD 4 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Activemq Version < 5.19.4

Apache ≫ Activemq Version >= 6.0.0 < 6.2.4

Apache ≫ Activemq Broker Version < 5.19.4

Apache ≫ Activemq Broker Version >= 6.0.0 < 6.2.4

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.227

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt

Vendor Advisory

http://www.openwall.com/lists/oss-security/2026/04/09/17

Third Party Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2026-39304

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39304

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39304

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-39304