Description
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:




The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.




Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.




The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.




Affected are applications using Apache MINA that call IoBuffer.getObject().




Applications using Apache MINA are advised to upgrade






The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.




Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6.




The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.




Affected are applications using Apache MINA that call IoBuffer.getObject().




Applications using Apache MINA are advised to upgrade
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Apache MINA’s AbstractIoBuffer.getObject() allowed an attacker to trigger the static initializer of a class before the class‑allowlist was applied. The unsafe deserialization of untrusted data enabled arbitrary code execution through crafted serialized payloads, compromising confidentiality, integrity, and availability of the affected system.

Affected Systems

Apache MINA versions 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6 are vulnerable. Any application that calls IoBuffer.getObject() and receives data from an untrusted source may be impacted.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the absence of an EPSS rating suggests the data is not sufficiently provided to gauge daily exploitation probability. The vulnerability is not listed in CISA KEV, but its high CVSS score and the nature of deserialization flaws mean that exploitation is feasible if an attacker can supply crafted data. The likely attack vector is network‑based input that is deserialized by an application using MINA without prior validation.

Generated by OpenCVE AI on May 1, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache MINA 2.1.12 or 2.2.7 which apply the class‑allowlist before static initialization.
  • Restrict or eliminate usage of IoBuffer.getObject() for data received from untrusted sources, substituting safer input handling where possible.
  • Configure network controls or application firewalls to block unauthenticated or unauthorised traffic that could supply malicious serialized payloads.

Generated by OpenCVE AI on May 1, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mina
CPEs cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache mina

Fri, 01 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
Title Apache MINA: CWE-502 Deserialization of Untrusted Data (take 2)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apache Mina
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-02T03:55:26.868Z

Reserved: 2026-04-29T13:31:49.189Z

Link: CVE-2026-42778

cve-icon Vulnrichment

Updated: 2026-05-01T13:21:09.133Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T11:16:19.383

Modified: 2026-05-01T17:55:49.277

Link: CVE-2026-42778

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses