PatchSiren cyber security CVE debrief
CVE-2026-39304 Apache Software Foundation CVE debrief
CVE-2026-39304 is a high-severity vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ. The vulnerability is caused by the NIO SSL transports not correctly handling TLSv1.3 handshake KeyUpdates triggered by clients, leading to a Denial of Service (DoS) via Out of Memory. This issue affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue. The CVSS score for this vulnerability is 7.5, indicating a high severity.
- Vendor
- Apache Software Foundation
- Product
- Apache ActiveMQ Client
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-06-30
Who should care
Organizations using Apache ActiveMQ Client, Apache ActiveMQ Broker, or Apache ActiveMQ versions before 5.19.4 or from 6.0.0 before 6.2.4 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 6.2.4 or 5.19.5, which fixes the issue. Additionally, defenders should monitor their systems for potential exploitation attempts.
Technical summary
The vulnerability is caused by the NIO SSL transports not correctly handling TLSv1.3 handshake KeyUpdates triggered by clients. This leads to a Denial of Service (DoS) via Out of Memory. The issue affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The weakness associated with this vulnerability is CWE-400 and CWE-770.
Defensive priority
High priority should be given to upgrading to version 6.2.4 or 5.19.5, which fixes the issue. Defenders should also monitor their systems for potential exploitation attempts.
Recommended defensive actions
- Upgrade to version 6.2.4 or 5.19.5
- Monitor systems for potential exploitation attempts
- Review and update inventory of affected systems
- Implement compensating controls to detect and prevent exploitation
- Track exceptions and anomalies in system behavior
Evidence notes
The CVE-2026-39304 vulnerability was published on April 10, 2026, and modified on June 30, 2026. The vulnerability affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. The CVSS score for this vulnerability is 7.5, indicating a high severity.
Official resources
-
CVE-2026-39304 CVE record
CVE.org
-
CVE-2026-39304 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.