CVE Catalog

CVE-2026-50734

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
0.80%

52th percentile — higher than 52% of all known CVEs

Summary

A vulnerability in Apache ActiveMQ allows an unauthenticated attacker to remotely cause a Denial of Service (DoS) of the broker by sending a crafted WireFormatInfo frame with a maliciously large size value. The lack of validation leads to memory allocation attempts during pre-auth negotiation, potentially causing an Out-of-Memory (OOM) condition and broker crash.

Risk Assessment

An attacker can render the ActiveMQ broker unavailable, disrupting systems relying on message queuing and potentially crippling critical business processes.

Recommendation

Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately, as these versions contain the fix for this vulnerability.

Original NVD description (English source)

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ Client, Apache ActiveMQ, Apache ActiveMQ All. An unauthenticated network attacker can cause a broker DoS by sending a crafted WireFormatInfo frame with a malicious large size value. The value is not validate and causes the broker to attempt allocation during pre-auth negotiation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS