CVE-2026-39304— Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-39304
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incorrect handling of TLSv1.3 KeyUpdate can be exploited to cause DoS via OOM
Source: NVD (National Vulnerability Database)
Vulnerability Description
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ. ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS. Note: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well. This issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache ActiveMQ 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache ActiveMQ是美国阿帕奇(Apache)基金会的一套开源的消息中间件,它支持Java消息服务、集群、Spring Framework等。 Apache ActiveMQ存在安全漏洞,该漏洞源于TLSv1.3握手KeyUpdates处理不当,可能导致内存耗尽并引发拒绝服务攻击。以下版本受到影响:Apache ActiveMQ Client 5.19.4之前版本和6.0.0至6.2.4之前版本、Apache ActiveMQ Broker 5.19.4之前版本和6.0.0至6.2.4之前版本
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Apache Software Foundation | Apache ActiveMQ Client | 0 ~ 5.19.4 | - | |
| Apache Software Foundation | Apache ActiveMQ Broker | 0 ~ 5.19.4 | - | |
| Apache Software Foundation | Apache ActiveMQ All | 0 ~ 5.19.4 | - | |
| Apache Software Foundation | Apache ActiveMQ | 0 ~ 5.19.4 | - |
II. Public POCs for CVE-2026-39304
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-39304
请登录查看更多情报信息。
Same Patch Batch · Apache Software Foundation · 2026-04-10 · 8 CVEs total
| CVE-2026-40023 | Apache Log4cxx, Apache Log4cxx (Conan), Apache Log4cxx (Brew): Silent log event loss in XM | |
| CVE-2026-40021 | Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescap | |
| CVE-2026-34481 | Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point val | |
| CVE-2026-34480 | Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden c | |
| CVE-2026-34479 | Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescape | |
| CVE-2026-34478 | Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibil | |
| CVE-2026-34477 | Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowin |
IV. Related Vulnerabilities
Same vendor: Apache Software Foundation
- CVE-2026-39816
Apache NiFi: Missing Execute Code Required Permission on Tin - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro - CVE-2026-25077
Apache CloudStack: Unauthenticated Command Injection in Dire - CVE-2025-69233
Apache CloudStack: Domain/account resources limits not honor - CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket del
V. Comments for CVE-2026-39304
No comments yet