{
	"document":{
		"aggregate_severity":{
			"namespace":"https://nvd.nist.gov/vuln-metrics/cvss",
			"text":"HIGH"
		},
		"category":"csaf_vex",
		"csaf_version":"2.0",
		"distribution":{
			"tlp":{
				"label":"WHITE",
				"url":"https:/www.first.org/tlp/"
			}
		},
		"lang":"en",
		"notes":[
			{
				"text":"Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.\n\nA remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.\n\n\n\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.",
				"category":"general",
				"title":"Synopsis"
			}
		],
		"publisher":null,
		"references":[
			{
				"summary":"nvd cve",
				"category":"external",
				"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49432"
			},
			{
				"summary":"CVE-2026-49432 vex file",
				"category":"self",
				"url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-49432.json"
			},
			{
				"summary":"openEuler-SA-2026-2923",
				"category":"self",
				"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2923"
			},
			{
				"summary":"CVE-2026-49432",
				"category":"self",
				"url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-49432&packageName=activemq"
			}
		],
		"title":"openEuler cve CVE-2026-49432",
		"tracking":{
			"initial_release_date":"2026-07-14T11:13:14+08:00",
			"revision_history":[
				{
					"date":"2026-07-14T11:13:14+08:00",
					"summary":"Initial",
					"number":"1.0.0"
				}
			],
			"generator":{
				"date":"2026-07-14T11:13:14+08:00",
				"engine":{
					"name":"openEuler CSAF Tool V1.0"
				}
			},
			"current_release_date":"2026-07-14T11:13:14+08:00",
			"id":"CVE-2026-49432",
			"version":"1.0.0",
			"status":"interim"
		}
	},
	"product_tree":{
		"branches":[
			{
				"name":"openEuler",
				"category":"vendor",
				"branches":[
					{
						"name":"openEuler",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1"
									},
									"product_id":"openEuler-24.03-LTS-SP1",
									"name":"openEuler-24.03-LTS-SP1"
								},
								"name":"openEuler-24.03-LTS-SP1",
								"category":"product_version"
							}
						],
						"category":"product_name"
					},
					{
						"name":"noarch",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1"
									},
									"product_id":"activemq-5.19.8-1.oe2403sp1.noarch.rpm",
									"name":"activemq-5.19.8-1.oe2403sp1.noarch.rpm"
								},
								"name":"activemq-5.19.8-1.oe2403sp1.noarch.rpm",
								"category":"product_version"
							},
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1"
									},
									"product_id":"activemq-javadoc-5.19.8-1.oe2403sp1.noarch.rpm",
									"name":"activemq-javadoc-5.19.8-1.oe2403sp1.noarch.rpm"
								},
								"name":"activemq-javadoc-5.19.8-1.oe2403sp1.noarch.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					},
					{
						"name":"src",
						"branches":[
							{
								"product":{
									"product_identification_helper":{
										"cpe":"cpe:/a:openEuler:openEuler:24.03-LTS-SP1"
									},
									"product_id":"activemq-5.19.8-1.oe2403sp1.src.rpm",
									"name":"activemq-5.19.8-1.oe2403sp1.src.rpm"
								},
								"name":"activemq-5.19.8-1.oe2403sp1.src.rpm",
								"category":"product_version"
							}
						],
						"category":"architecture"
					}
				]
			}
		],
		"relationships":[
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP1",
				"product_reference":"activemq-5.19.8-1.oe2403sp1.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.noarch",
					"name":"activemq-5.19.8-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP1",
				"product_reference":"activemq-javadoc-5.19.8-1.oe2403sp1.noarch.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP1:activemq-javadoc-5.19.8-1.oe2403sp1.noarch",
					"name":"activemq-javadoc-5.19.8-1.oe2403sp1.noarch as a component of openEuler-24.03-LTS-SP1"
				},
				"category":"default_component_of"
			},
			{
				"relates_to_product_reference":"openEuler-24.03-LTS-SP1",
				"product_reference":"activemq-5.19.8-1.oe2403sp1.src.rpm",
				"full_product_name":{
					"product_id":"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.src",
					"name":"activemq-5.19.8-1.oe2403sp1.src as a component of openEuler-24.03-LTS-SP1"
				},
				"category":"default_component_of"
			}
		]
	},
	"vulnerabilities":[
		{
			"cve":"CVE-2026-49432",
			"notes":[
				{
					"text":"Improper Input Validation vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp.\n\nA remote unauthenticated peer that can reach an exposed STOMP connector can trigger denial-of-service behavior by sending a negative content-length. For the NIO STOMP transport, an attacker can keep streaming body bytes and grow the per-connection command buffer beyond configured limits to cause OOM. For the blocking STOMP protocol, an error will instead force abnormal transport exception handling for the affected connection and closure.\nThis issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Stomp: before 5.19.8, from 6.0.0 before 6.2.7.\n\n\n\n\nUsers are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.",
					"category":"description",
					"title":"Vulnerability Description"
				}
			],
			"product_status":{
				"fixed":[
					"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.noarch",
					"openEuler-24.03-LTS-SP1:activemq-javadoc-5.19.8-1.oe2403sp1.noarch",
					"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.src"
				]
			},
			"remediations":[
				{
					"product_ids":[
						"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.noarch",
						"openEuler-24.03-LTS-SP1:activemq-javadoc-5.19.8-1.oe2403sp1.noarch",
						"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.src"
					],
					"details":"activemq security update",
					"category":"vendor_fix",
					"url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2923"
				}
			],
			"scores":[
				{
					"cvss_v3":{
						"baseSeverity":"HIGH",
						"baseScore":7.5,
						"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
						"version":"3.1"
					},
					"products":[
						"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.noarch",
						"openEuler-24.03-LTS-SP1:activemq-javadoc-5.19.8-1.oe2403sp1.noarch",
						"openEuler-24.03-LTS-SP1:activemq-5.19.8-1.oe2403sp1.src"
					]
				}
			],
			"threats":[
				{
					"details":"High",
					"category":"impact"
				}
			],
			"title":"CVE-2026-49432"
		}
	]
}