Description
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.




Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.




The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.




Affected are applications using Apache MINA that call IoBuffer.getObject().




Applications using Apache MINA are advised to upgrade
Published: 2026-04-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Untrusted Deserialization
Action: Patch Now
AI Analysis

Impact

The vulnerability lies in Apache MINA's AbstractIoBuffer.getObject() method. Because the classname allowlist is applied only after a static initializer has already been executed, an attacker can send crafted serialized data that triggers arbitrary code execution during deserialization. This weakness is a classic deserialization flaw (CWE‑502) that can compromise confidentiality, integrity, and availability of any system using the affected MINA framework.

Affected Systems

The issue affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. Applications or services that incorporate Apache MINA and invoke IoBuffer.getObject() are vulnerable.

Risk and Exploitability

Based on the description, the likely attack vector is remote, originating from network traffic that passes through services using MINA's deserialization. With a CVSS score of 9.8, this vulnerability is considered critical. The EPSS score of <1% indicates that, at present, the likelihood of exploitation is low but non-zero. It is not listed in the CISA KEV catalog. The vulnerability therefore carries a high severity and a small but present exploitation probability.

Generated by OpenCVE AI on April 28, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache MINA to version 2.0.28, 2.1.11, or 2.2.6 or later, which applies the classname allowlist at the correct time.
  • Configure the application to restrict deserialization to a strict whitelist of trusted classes and disallow any payloads from untrusted external sources.
  • Implement network segmentation and logging for all traffic reaching the MINA endpoints, and monitor for anomalous deserialization activity.

Generated by OpenCVE AI on April 28, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f2wh-grmh-r6jm Apache MINA Vulnerable to Deserialization of Untrusted Data (CVE-2024-52046 Incomplete Fix)
History

Sat, 02 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mina
Vendors & Products Apache
Apache mina

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
Title Apache MINA: CWE-502 Deserialization of Untrusted Data
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apache Mina
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-27T12:21:52.067Z

Reserved: 2026-04-20T15:04:54.505Z

Link: CVE-2026-41409

cve-icon Vulnrichment

Updated: 2026-04-27T12:21:49.318Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T10:16:09.740

Modified: 2026-04-29T19:08:07.193

Link: CVE-2026-41409

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-27T09:20:12Z

Links: CVE-2026-41409 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:21Z

Weaknesses