Description
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.




The fix checks if the class is present in the accepted class filter before calling Class.forName(). 






Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and


2.2.0 <= 2.2.5.





The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.





Affected are applications using Apache MINA that call  IoBuffer.getObject().





Applications using Apache MINA are advised to upgrade.
Published: 2026-04-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Apache MINA’s AbstractIoBuffer.resolveClass() contains a flaw that allows the class allowlist to be bypassed for static classes or primitive types. The unchecked call to Class.forName() enables an attacker to deserialize arbitrary objects and execute code of their choosing. The weakness is classified as CWE-502. The impact is a full remote code execution with potential to compromise confidentiality, integrity, and availability of the affected application.

Affected Systems

Customers using Apache Software Foundation’s Apache MINA within versions 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5 are impacted. Applications that employ IoBuffer.getObject() to deserialize data are also vulnerable. Any services that expose MINA over a network and process external traffic may expose this flaw.

Risk and Exploitability

The vulnerability has a CVSS score of 9.8, indicating critical severity. The EPSS score is less than 1% and it is not listed in CISA’s KEV catalog, suggesting limited exploitation in the wild. However, the likely attack vector is remote or network‑based, based on the use of IoBuffer.getObject() to process remote data. If an attacker can supply crafted serialized input, they can trigger the unchecked class resolution and achieve arbitrary code execution. The upgrade path to mitigated versions (2.0.28, 2.1.11, or 2.2.6+) is the only confirmed defensive measure currently available.

Generated by OpenCVE AI on April 28, 2026 at 04:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache MINA to version 2.0.28 or later (2.1.11, 2.2.6+) to enforce the classname allowlist.
  • Audit the application code for any usage of IoBuffer.getObject() with data from untrusted sources and either remove or replace it with a safer serialization mechanism.
  • If an immediate upgrade is not possible, isolate the MINA‑based service from external networks or restrict inbound connections so that only trusted traffic can reach the deserialization endpoint until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 04:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8297-v2rf-2p32 Apache MINA vulnerable to Deserialization of Untrusted Data
History

Wed, 29 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mina
Vendors & Products Apache
Apache mina

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Mon, 27 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName().  Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call  IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
Title Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apache Mina
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T03:55:38.297Z

Reserved: 2026-04-21T22:18:22.755Z

Link: CVE-2026-41635

cve-icon Vulnrichment

Updated: 2026-04-27T16:32:59.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T09:16:01.893

Modified: 2026-04-29T19:08:21.840

Link: CVE-2026-41635

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-27T08:59:50Z

Links: CVE-2026-41635 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses