JVNDB-2026-006408

Apache ActiveMQ series improper validation of MQTT packets [AMQ-9810]

Apache ActiveMQ series provided by The Apache Software Foundation does not properly validate the remaining length field of MQTT packets, which may lead to integer overflow and misinterpretation of MQTT packets.

• Integer overflow or wraparound (CWE-190) - CVE-2025-66168, CVE-2026-40046

Gai Tanaka of Mitsui Bussan Secure Directions, Inc. reported this vulnerability in version 6.2.0 to the developer and IPA under Information Security Early Warning Partnership.
JPCERT/CC coordinated with the developer to publish the advisory.

Apache Software Foundation

• Apache ActiveMQ 5.x versions prior to 5.19.2
• Apache ActiveMQ 6.x versions prior to 6.2.4
• Apache ActiveMQ All module 5.x versions prior to 5.19.2
• Apache ActiveMQ 6.x versions prior to 6.2.4
• Apache ActiveMQ MQTT module 5.x versions prior to 5.19.2
• Apache ActiveMQ MQTT 6.x versions prior to 6.2.4

Processing a crafted MQTT packet may lead to misinterpretation of the packet and unexpected behavior.

[Update the Software]
Update the software to the latest version according to the information provided by the developer.

Apache Software Foundation

• The Apache Software Foundation : CVE-2025-66168 - MQTT control packet remaining length field is not properly validated
• The Apache Software Foundation : CVE-2026-40046 - Missing fix for CVE-2025-66168: MQTT control packet remaining length field is not properly validated
• The Apache Software Foundation : [AMQ-9810] Add additional validation for MQTT control packets

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2025-66168
2. CVE-2026-40046

1. JVN : JVN#20669184
2. National Vulnerability Database (NVD) : CVE-2025-66168

• [2026/04/24]
    Web page was published