Description
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:











Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.




The fix checks if the class is present in the accepted class filter before calling Class.forName().






Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.





The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.





Affected are applications using Apache MINA that call IoBuffer.getObject().





Applications using Apache MINA are advised to upgrade.
Published: 2026-05-01
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache MINA’s AbstractIoBuffer.resolveClass() implementation contains two branches; one for static classes or primitive types skips the classname allowlist entirely. This bypass allows an attacker to supply arbitrary class names in deserialized objects, leading to full object deserialization and remote code execution. The flaw is a classic deserialization vulnerability indexed as CWE‑502 and results in arbitrary code execution when a deserializer is invoked on untrusted input.

Affected Systems

Affected versions are Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6. Any application that utilizes Apache MINA and calls IoBuffer.getObject() is potentially vulnerable, regardless of the environment in which it runs.

Risk and Exploitability

The CVSS score is 9.8, indicating critical severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can provide a serialized payload to IoBuffer.getObject() can exploit the flaw to execute arbitrary code. The vulnerability remains highly impactful, and although no public exploit has been documented, the implementation details make it straightforward for an attacker with network or local access to the deserialization endpoint to trigger remote code execution.

Generated by OpenCVE AI on May 1, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Apache MINA library to version 2.1.12 or later, or to 2.2.7 or later, which applies the classname allowlist correctly.
  • Audit all application code that uses IoBuffer.getObject() and replace or remove it; for remaining serailization calls, enforce a safe deserialization policy such as a custom class loader or a whitelist of allowed classes.
  • Conduct a thorough security review of the application to identify any other deserialization points and apply the same mitigation or removal strategy.

Generated by OpenCVE AI on May 1, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache mina
CPEs cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache mina

Fri, 01 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 01 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
Title Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Apache Mina
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-02T03:55:25.715Z

Reserved: 2026-04-29T13:32:57.549Z

Link: CVE-2026-42779

cve-icon Vulnrichment

Updated: 2026-05-01T13:20:46.544Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T11:16:19.537

Modified: 2026-05-01T17:55:28.940

Link: CVE-2026-42779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T00:00:14Z

Weaknesses