CVE-2021-4040
Description
CVE-2021-4040: A flaw in AMQ Broker allows an attacker to cause an out-of-memory (OOM) condition by sending maliciously crafted messages, partially disrupting availability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2021-4040: A flaw in AMQ Broker allows an attacker to cause an out-of-memory (OOM) condition by sending maliciously crafted messages, partially disrupting availability.
Vulnerability
CVE-2021-4040 is a denial-of-service (DoS) vulnerability in Red Hat AMQ Broker and the underlying Apache ActiveMQ Artemis project. The flaw resides in how the broker parses XID (transaction identifier) data during XA transactions, as detailed in the upstream fix [2]. By sending a sustained stream of maliciously crafted messages, an attacker can trigger an out-of-memory (OOM) condition on the broker, leading to partial interruption of service availability [1][3].
Exploitation
The attack is performed over the network without requiring authentication, as the broker's message parsing logic is exposed to external clients. The attacker must craft messages that exploit the XID parser, causing excessive memory allocation. No special privileges are needed; the attack can be sustained to keep the broker in an OOM state [1][3].
Impact
Successful exploitation leads to partial availability loss, meaning the broker may stop processing messages or become unresponsive for legitimate traffic. The vulnerability does not affect data confidentiality or integrity; the highest threat is system availability [1][3].
Mitigation
The vulnerability is addressed in the upstream Apache ActiveMQ Artemis project via commit 153d2e9a979aead8dff95fbc91d659ecc7d0fb82 [2]. Users should update to a patched version of AMQ Broker or ActiveMQ Artemis. Red Hat has released advisories and updated packages [1]. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.activemq:artemis-core-clientMaven | < 2.19.1 | 2.19.1 |
Affected products
2- AMQ Broker/AMQ Brokerdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-gf8c-j759-86mgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4040ghsaADVISORY
- access.redhat.com/security/cve/CVE-2021-4040ghsax_refsource_MISCWEB
- bugzilla.redhat.com/show_bug.cgighsax_refsource_MISCWEB
- github.com/apache/activemq-artemis/pull/3862ghsaWEB
- github.com/apache/activemq-artemis/pull/3871ghsaWEB
- github.com/apache/activemq-artemis/pull/3871/commitsghsax_refsource_MISCWEB
- github.com/apache/activemq-artemis/pull/3871/commits/153d2e9a979aead8dff95fbc91d659ecc7d0fb82ghsaWEB
- issues.apache.org/jira/browse/ARTEMIS-3593ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.