Severity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Blast Radius
ecosystem impact- 32 maven packages depend on org.apache.mina:mina-core (14 direct, 18 indirect)
Ecosystem-wide dependent count for version 2.1.0.
DescriptionCVE.org
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
AnalysisAI
Remote unauthenticated code execution in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 allows attackers to bypass class allowlist protections via unsafe deserialization. The vulnerability exists because the fix for CVE-2026-41635 was not backported to the 2.1.X and 2.2.X branches, leaving AbstractIoBuffer.resolveClass() susceptible to arbitrary class instantiation when applications call IoBuffer.getObject(). Only applications actively using MINA's deserialization features are affected. EPSS data not available; no KEV listing or public POC identified at time of analysis.
Technical ContextAI
Apache MINA (Multipurpose Infrastructure for Network Applications) is a Java network application framework providing abstractions for TCP, UDP, and serial communication. The vulnerability resides in AbstractIoBuffer.resolveClass(), which handles object deserialization through the IoBuffer.getObject() API. The method contains two code paths: one for regular classes that applies a classname allowlist filter, and another for static classes and primitive types that bypasses validation entirely. This design flaw enables classic unsafe deserialization attacks (CWE-502) where untrusted data can instantiate arbitrary classes. The original fix for CVE-2026-41635 corrected this by moving allowlist validation before Class.forName() invocation, but was only applied to newer branches, leaving 2.1.X and 2.2.X versions vulnerable. The CPE identifies Apache Software Foundation's MINA framework as the affected product across both vulnerable version ranges.
RemediationAI
Upgrade immediately to Apache MINA 2.1.12 (for 2.1.X users) or 2.2.7 (for 2.2.X users), which apply the classname allowlist validation before Class.forName() calls in AbstractIoBuffer.resolveClass(). Vendor advisory with full details available at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0. If immediate patching is not feasible, implement compensating controls: audit application code to identify all IoBuffer.getObject() call sites and eliminate deserialization of untrusted data, replace object deserialization with structured data formats like JSON or Protocol Buffers (trades convenience for security), or implement network segmentation to restrict access to MINA service endpoints to trusted clients only (reduces attack surface but does not eliminate insider threat). Note that disabling deserialization may break application functionality if IoBuffer.getObject() is used in legitimate workflows. Deploy application-layer input validation and monitoring for unexpected class instantiation attempts as detective controls while patches are tested.
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26493
GHSA-vf5j-865m-mq7c