CVE-2026-53916 PUBLISHED

Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec

Assigner: apache
Reserved: 11.06.2026 Published: 30.06.2026 Updated: 30.06.2026

Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.

An unauthenticated client that opens a STOMP NIO connection can send header bytes that never terminate which makes the broker buffer them without limit, exhausting the JVM heap. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache ActiveMQ
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)
Vendor Apache Software Foundation
Product Apache ActiveMQ All
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)
Vendor Apache Software Foundation
Product Apache ActiveMQ Stomp
Versions Default: unaffected
  • affected from 0 to 5.19.8 (excl.)
  • affected from 6.0.0 to 6.2.7 (excl.)

Credits

  • tonghuaroot finder

References

Problem Types

  • CWE-789 Memory Allocation with Excessive Size Value CWE