CVE-2026-53916
HighCVSS 7.5Exploitation Probability (EPSS)
Elevated risk52th percentile — higher than 52% of all known CVEs
Summary
A vulnerability in Apache ActiveMQ allows an unauthenticated client to send non-terminating header bytes via STOMP NIO, causing unlimited buffering and JVM heap exhaustion.
Risk Assessment
The attack can lead to JVM memory exhaustion and denial of service (DoS), impacting the availability of systems using ActiveMQ.
Recommendation
Immediately upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7, which contain the fix.
Original NVD description (English source)
Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp. An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

