PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39304 Apache Software Foundation CVE debrief

CVE-2026-39304 is a high-severity vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ. The vulnerability is caused by the NIO SSL transports not correctly handling TLSv1.3 handshake KeyUpdates triggered by clients, leading to a Denial of Service (DoS) via Out of Memory. This issue affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. Users are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue. The CVSS score for this vulnerability is 7.5, indicating a high severity.

Vendor
Apache Software Foundation
Product
Apache ActiveMQ Client
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-10
Original CVE updated
2026-06-30
Advisory published
2026-04-10
Advisory updated
2026-06-30

Who should care

Organizations using Apache ActiveMQ Client, Apache ActiveMQ Broker, or Apache ActiveMQ versions before 5.19.4 or from 6.0.0 before 6.2.4 should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 6.2.4 or 5.19.5, which fixes the issue. Additionally, defenders should monitor their systems for potential exploitation attempts.

Technical summary

The vulnerability is caused by the NIO SSL transports not correctly handling TLSv1.3 handshake KeyUpdates triggered by clients. This leads to a Denial of Service (DoS) via Out of Memory. The issue affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a high severity. The weakness associated with this vulnerability is CWE-400 and CWE-770.

Defensive priority

High priority should be given to upgrading to version 6.2.4 or 5.19.5, which fixes the issue. Defenders should also monitor their systems for potential exploitation attempts.

Recommended defensive actions

  • Upgrade to version 6.2.4 or 5.19.5
  • Monitor systems for potential exploitation attempts
  • Review and update inventory of affected systems
  • Implement compensating controls to detect and prevent exploitation
  • Track exceptions and anomalies in system behavior

Evidence notes

The CVE-2026-39304 vulnerability was published on April 10, 2026, and modified on June 30, 2026. The vulnerability affects Apache ActiveMQ Client, Apache ActiveMQ Broker, and Apache ActiveMQ versions before 5.19.4 and from 6.0.0 before 6.2.4. The CVSS score for this vulnerability is 7.5, indicating a high severity.

Official resources

This article is AI-assisted and based on the supplied source corpus.