ActiveMQ TLSv1.3 memory DoS (CVE-2026-39304)

Overview

A high-severity Denial-of-Service (DoS) vulnerability, CVE-2026-39304, exists in Apache ActiveMQ. The flaw is in how the ActiveMQ Client, Broker, and the standalone ActiveMQ distribution handle TLSv1.3 connections. Specifically, the NIO SSL transport does not properly manage TLSv1.3 handshake KeyUpdate messages, allowing a malicious client to trigger a memory exhaustion condition.

Vulnerability Details

When a client establishes a TLSv1.3 connection to a vulnerable ActiveMQ instance, it can rapidly and repeatedly send KeyUpdate messages. These messages are part of the TLS protocol to refresh encryption keys. The vulnerable SSL engine fails to properly manage the memory allocated for these updates, causing it to continuously consume system memory without release. This leads to an Out-of-Memory (OOM) condition in the broker, resulting in a complete service disruption.

It is important to note that while TLS versions prior to v1.3 (like TLSv1.2) have a related bug causing connection hangs, they are not vulnerable to this memory exhaustion attack. The fix for CVE-2026-39304 addresses both the OOM issue for TLSv1.3 and the hang issue for earlier TLS versions.

Affected Products

This vulnerability impacts the following Apache ActiveMQ versions:

• Apache ActiveMQ Client: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.
• Apache ActiveMQ Broker: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.
• Apache ActiveMQ: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.

Impact and Exploitation

With a CVSS score of 7.5 (High), this vulnerability allows an unauthenticated remote attacker to crash the ActiveMQ broker, causing a denial of service. The attack complexity is low, requires no user interaction, and can be performed over the network. While this poses a significant availability risk, there is currently no evidence of active exploitation in the wild, and the EPSS score indicates a very low probability of exploitation in the near term.

Remediation and Mitigation

The primary and most effective remediation is to upgrade to a patched version of Apache ActiveMQ.

• Upgrade to version 6.2.4 or 5.19.5, which contain the fix. If immediate upgrading is not possible, consider these temporary mitigation strategies:
• Restrict Network Access: Limit access to the ActiveMQ broker’s ports (typically 61616 for NIO+SSL) to trusted networks and clients only.
• Monitor for Memory Exhaustion: Implement monitoring for unusual memory consumption patterns on ActiveMQ broker hosts, which could indicate an attack attempt.

For the latest cybersecurity news on emerging threats and vulnerabilities, visit our security news section.

Security Insight

This vulnerability highlights the subtle security implications of protocol version upgrades. The shift to TLSv1.3, while enhancing security in many areas, introduced a new attack vector (KeyUpdate messages) that was not present in prior versions. It underscores the necessity for thorough security testing of new protocol implementations within application frameworks, especially for core components like transport layers that handle untrusted network data directly. Similar memory exhaustion flaws in other messaging brokers have historically been leveraged in disruptive attacks, making proactive patching essential.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs