Skip to main content

Apache MINA CVE-2026-42779

| EUVDEUVD-2026-26493 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-05-01 apache GHSA-vf5j-865m-mq7c
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 LOW
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 01, 2026 - 10:45 vuln.today
EUVD ID Assigned
May 01, 2026 - 10:30 euvd
EUVD-2026-26493
Analysis Generated
May 01, 2026 - 10:30 vuln.today
CVE Published
May 01, 2026 - 10:00 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 32 maven packages depend on org.apache.mina:mina-core (14 direct, 18 indirect)

Ecosystem-wide dependent count for version 2.1.0.

DescriptionCVE.org

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.

The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

AnalysisAI

Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.

Technical ContextAI

Apache MINA (Multipurpose Infrastructure for Network Applications) is a Java network application framework providing abstractions for TCP, UDP, and serial communication. The vulnerability resides in AbstractIoBuffer.resolveClass(), which handles object deserialization through the IoBuffer.getObject() API. The method contains two code paths: one for regular classes that applies a classname allowlist filter, and another for static classes and primitive types that bypasses validation entirely. This design flaw enables classic unsafe deserialization attacks (CWE-502) where untrusted data can instantiate arbitrary classes. The original fix for CVE-2026-41635 corrected this by moving allowlist validation before Class.forName() invocation, but was only applied to newer branches, leaving 2.1.X and 2.2.X versions vulnerable. The CPE identifies Apache Software Foundation's MINA framework as the affected product across both vulnerable version ranges.

RemediationAI

Upgrade immediately to Apache MINA 2.1.12 (for 2.1.X users) or 2.2.7 (for 2.2.X users), which apply the classname allowlist validation before Class.forName() calls in AbstractIoBuffer.resolveClass(). Vendor advisory with full details available at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0. If immediate patching is not feasible, implement compensating controls: audit application code to identify all IoBuffer.getObject() call sites and eliminate deserialization of untrusted data, replace object deserialization with structured data formats like JSON or Protocol Buffers (trades convenience for security), or implement network segmentation to restrict access to MINA service endpoints to trusted clients only (reduces attack surface but does not eliminate insider threat). Note that disabling deserialization may break application functionality if IoBuffer.getObject() is used in legitimate workflows. Deploy application-layer input validation and monitoring for unexpected class instantiation attempts as detective controls while patches are tested.

Vendor StatusVendor

Share

CVE-2026-42779 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy