Memory Allocation with Excessive Size Value vulnerability in Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Client, Apache ActiveMQ Broker. An authenticated user can cause a broker DoS by sending a crafted OpenWire Message with a large encoded size value for the map. OpenWire message property maps are unmarshaled without size validation which can trigger OOM and crash the broker. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Client: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
Apache ActiveMQ contains a critical vulnerability in its OpenWire protocol implementation where authenticated users can trigger denial-of-service conditions by sending specially crafted messages with excessively large encoded size values in property maps. The vulnerability stems from unmarshaling OpenWire message maps without proper size validation, allowing attackers to allocate unbounded memory and exhaust broker resources, ultimately crashing the service. This affects multiple ActiveMQ versions (5.x before 5.19.8 and 6.x before 6.2.7) and impacts any organization relying on ActiveMQ for message brokering, particularly those with untrusted internal networks or exposed broker endpoints.
While no specific MITRE ATT&CK techniques are formally mapped to this CVE, Casky's AI-driven analysis would detect attack patterns consistent with resource exhaustion and denial-of-service activities. A practitioner using Casky would observe detection signals aligned with T1499 (Service Exhaustion DoS) and T1561 (Disk Content Wipe) patterns—specifically, anomalous memory allocation requests, abnormal process resource consumption spikes, and broker crash events following authenticated OpenWire message submissions. By correlating message parsing logs, memory utilization baselines, and authentication events, Casky's extended reasoning capabilities would surface the attack chain: legitimate authentication followed by crafted message transmission triggering uncontrolled memory allocation. Security teams would see findings indicating suspicious authenticated session behavior with resource exhaustion indicators, enabling rapid differentiation between legitimate traffic spikes and exploit attempts.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-53917. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation