Denial of Service via repeated BrokerInfo commands
Summary
Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Following the fix for CVE-2026-49270 an unauthenticated attacker can now cause broker OOM by sending an repeated BrokerInfo commands without sending a ConnectionInfo, until the broker will crash with OOM. This issue affects Apache ActiveMQ Broker: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7; Apache ActiveMQ All: from 5.19.7 before 5.19.8, from 6.2.6 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue. A flaw was found in Apache ActiveMQ. An unauthenticated remote attacker can exploit this vulnerability by repeatedly sending BrokerInfo commands without corresponding ConnectionInfo commands. This can lead to an Out of Memory condition, causing the broker to crash and resulting in a Denial of Service. Red Hat products that include Apache ActiveMQ classic components ship versions prior to 5.19.7 (5.x line) and prior to 6.2.6 (6.x line). The vulnerable code was introduced as a regression in versions 5.19.7 and 6.2.6 while fixing CVE-2026-49270, and is not present in the versions shipped by Red Hat. Products shipping Apache ActiveMQ Artemis are not affected as Artemis is a separate codebase. Red Hat severity: Important — CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Weakness: CWE-770. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Official advisory · high-confidence parse· fetched 1 day ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.