CVE Catalog

CVE-2026-53916

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.80%

52th percentile — higher than 52% of all known CVEs

Summary

A vulnerability in Apache ActiveMQ allows an unauthenticated client to send non-terminating header bytes via STOMP NIO, causing unlimited buffering and JVM heap exhaustion.

Risk Assessment

The attack can lead to JVM memory exhaustion and denial of service (DoS), impacting the availability of systems using ActiveMQ.

Recommendation

Immediately upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7, which contain the fix.

Original NVD description (English source)

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS