Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <30fa1feb-53be-bcbc-73bf-ca305ee8d9ce@apache.org>
Date: Mon, 29 Jun 2026 18:44:11 +0000
From: "Christopher L. Shannon" <cshannon@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-53917: Apache ActiveMQ, Apache ActiveMQ All, Apache
 ActiveMQ Client, Apache ActiveMQ Broker: Unbounded memory allocation in
 OpenWire property unmarshalling 

Severity: important 

Affected versions:

- Apache ActiveMQ (org.apache.activemq:apache-activemq) before 5.19.8
- Apache ActiveMQ (org.apache.activemq:apache-activemq) 6.0.0 before 6.2.7
- Apache ActiveMQ All (org.apache.activemq:activemq-all) before 5.19.8
- Apache ActiveMQ All (org.apache.activemq:activemq-all) 6.0.0 before 6.2.7
- Apache ActiveMQ Client (org.apache.activemq:activemq-client) before 5.19.8
- Apache ActiveMQ Client (org.apache.activemq:activemq-client) 6.0.0 before 6.2.7
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.8
- Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.7

Description:

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker.

An authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker.
This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Credit:

tonghuaroot (finder)

References:

https://activemq.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-53917

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.