ActiveMQ TLSv1.3 memory DoS (CVE-2026-39304)

Vendor-confirmed - CVE-2026-39304 is a high denial-of-service in Apache ActiveMQ client, broker, and standalone distribution before 5.19.4 and before 6.2.4 that lets an unauthenticated remote attacker crash the broker via memory exhaustion triggered by repeated TLSv1.3 KeyUpdate messages.

Overview

A high-severity Denial-of-Service (DoS) vulnerability, CVE-2026-39304, exists in Apache ActiveMQ. The flaw is in how the ActiveMQ Client, Broker, and the standalone ActiveMQ distribution handle TLSv1.3 connections. Specifically, the NIO SSL transport does not properly manage TLSv1.3 handshake KeyUpdate messages, allowing a malicious client to trigger a memory exhaustion condition.

Vulnerability Details

When a client establishes a TLSv1.3 connection to a vulnerable ActiveMQ instance, it can rapidly and repeatedly send KeyUpdate messages. These messages are part of the TLS protocol to refresh encryption keys. The vulnerable SSL engine fails to properly manage the memory allocated for these updates, causing it to continuously consume system memory without release. This leads to an Out-of-Memory (OOM) condition in the broker, resulting in a complete service disruption.

It is important to note that while TLS versions prior to v1.3 (like TLSv1.2) have a related bug causing connection hangs, they are not vulnerable to this memory exhaustion attack. The fix for CVE-2026-39304 addresses both the OOM issue for TLSv1.3 and the hang issue for earlier TLS versions.

Affected Products

This vulnerability impacts the following Apache ActiveMQ versions:

• Apache ActiveMQ Client: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.
• Apache ActiveMQ Broker: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.
• Apache ActiveMQ: versions before 5.19.4, and versions from 6.0.0 before 6.2.4.

Impact and Exploitation

With a CVSS score of 7.5 (High), this vulnerability allows an unauthenticated remote attacker to crash the ActiveMQ broker, causing a denial of service. The attack complexity is low, requires no user interaction, and can be performed over the network. While this poses a significant availability risk, there is currently no evidence of active exploitation in the wild, and the EPSS score indicates a very low probability of exploitation in the near term.

Remediation and Mitigation

The primary and most effective remediation is to upgrade to a patched version of Apache ActiveMQ.

• Upgrade to version 6.2.4 or 5.19.5, which contain the fix. If immediate upgrading is not possible, consider these temporary mitigation strategies:
• Restrict Network Access: Limit access to the ActiveMQ broker’s ports (typically 61616 for NIO+SSL) to trusted networks and clients only.
• Monitor for Memory Exhaustion: Implement monitoring for unusual memory consumption patterns on ActiveMQ broker hosts, which could indicate an attack attempt.

For the latest cybersecurity news on emerging threats and vulnerabilities, visit our security news section.

Security Insight

This vulnerability highlights the subtle security implications of protocol version upgrades. The shift to TLSv1.3, while enhancing security in many areas, introduced a new attack vector (KeyUpdate messages) that was not present in prior versions. It underscores the necessity for thorough security testing of new protocol implementations within application frameworks, especially for core components like transport layers that handle untrusted network data directly. Similar memory exhaustion flaws in other messaging brokers have historically been leveraged in disruptive attacks, making proactive patching essential.

Update - May 2026

As of mid-May 2026, CVE-2026-39304 remains a high-severity (CVSS 7.5) denial-of-service vulnerability affecting Apache ActiveMQ Client and Broker. No patch has been released by the vendor, and no mitigation workaround has been published as of this update. The vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, but continued monitoring is advised as threat actors increasingly target unpatched DoS vectors in messaging infrastructure.

The Exploit Prediction Scoring System (EPSS) score for CVE-2026-39304 has increased from 0.0004 (at initial publication) to 0.0008 (23rd percentile) as of May 14, suggesting slightly elevated-but still low-exploitation chatter in the wild. No public proof-of-concept code or active exploitation campaigns have been confirmed at this time, though this score warrants attention.

Related CVEs in the same attack pattern include CVE-2026-39302 and CVE-2026-39303, both resource-exhaustion flaws in Apache ActiveMQ disclosed in April 2026. Defenders should review all three jointly, as a chained attack could amplify impact.

Recommended actions: Monitor EPSS scores for escalation; apply vendor patches immediately upon release; implement network-level rate limiting and memory usage controls on ActiveMQ brokers; and subscribe to CISA KEV alerts for potential future inclusion of this CVE. Test environments for signs of memory exhaustion under normal loads.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs