What is the CVSS score of CVE-2026-42779?

CVE-2026-42779 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apache MINA are affected by CVE-2026-42779?

Apache MINA versions 2.1.0-2.1.11 and 2.2.0-2.2.6 contain a critical remote code execution vulnerability in deserialization logic that allows unauthenticated attackers to bypass security controls and…. A patch is available.

Apache MINA CVE-2026-42779

Q: How to fix or mitigate CVE-2026-42779?

Within 24 hours: inventory all applications using Apache MINA 2.1.X or 2.2.X branches and identify those calling IoBuffer.getObject(). Within 7 days: upgrade to Apache MINA 2.3.0 or later if available; if unavailable, isolate affected systems from untrusted network sources and disable MINA deserialization features where possible. Within 30 days: complete migration to patched MINA versions or replace with alternative serialization mechanisms (e.g., JSON-based APIs) to eliminate deserialization attack surface.

EUVD-2026-26493 CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-05-01 apache

GHSA-vf5j-865m-mq7c

RCE Apache Deserialization Red Hat

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 01, 2026 - 10:45 vuln.today

EUVD ID Assigned

May 01, 2026 - 10:30 euvd

EUVD-2026-26493

Analysis Generated

May 01, 2026 - 10:30 vuln.today

CVE Published

May 01, 2026 - 10:00 nvd

CRITICAL 9.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

32 maven packages depend on org.apache.mina:mina-core (14 direct, 18 indirect)

Ecosystem-wide dependent count for version 2.1.0.

DescriptionNVD

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.

The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

AnalysisAI

Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). …

RemediationAI

Within 24 hours: inventory all applications using Apache MINA 2.1.X or 2.2.X branches and identify those calling IoBuffer.getObject(). Within 7 days: upgrade to Apache MINA 2.3.0 or later if available; if unavailable, isolate affected systems from untrusted network sources and disable MINA deserialization features where possible. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory