CVE-2026-41635
published 2026-04-27CVE-2026-41635: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
46.1th percentile
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and
2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | mina | >= 2.0.0 < 2.0.28 | 2.0.28 |
| apache | mina | >= 2.1.0 < 2.1.11 | 2.1.11 |
| apache | mina | >= 2.1.0 < 2.1.12 | 2.1.12 |
| apache | mina | >= 2.2.0 < 2.2.6 | 2.2.6 |
| apache | mina | >= 2.2.0 < 2.2.7 | 2.2.7 |
| apache_software_foundation | apache_mina | 2.1.X – 2.1.11 | — |
| apache_software_foundation | apache_mina | 2.2.X – 2.2.6 | — |
| javapackages-tools_201801 | maven-wagon | — | — |
| jenkins | jenkins | — | — |
| maven_3.9 | maven-wagon | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerable method is AbstractIoBuffer.resolveClass() in Apache MINA — monitor for deserialization calls through this method, particularly for static classes or primitive types that bypass the classname allowlist ↗
- →Detection focus: applications invoking IoBuffer.getObject() are the attack surface — audit or monitor calls to this method in Apache MINA-based applications ↗
- →The fix applies the classname allowlist check before Class.forName() — absence of this check in the resolveClass() static/primitive branch indicates a vulnerable version; use code analysis or IAST to verify the guard is present ↗
- →A remote attacker can exploit this via network-delivered deserialization payloads — monitor for unexpected or anomalous Java deserialization traffic on ports used by Apache MINA services ↗
- ·Affected Apache MINA versions: 2.0.0–2.0.27, 2.1.0–2.1.10, 2.2.0–2.2.5; fixed in 2.0.28, 2.1.11, 2.2.6 — however, the fix was NOT applied to 2.1.x and 2.2.x branches (tracked as CVE-2026-42779), so 2.1.11 and 2.2.6 remain vulnerable ↗
- ·CVE-2026-42779 extends the affected range: Apache MINA 2.1.0–2.1.11 and 2.2.0–2.2.6 remain vulnerable; fully fixed only in 2.1.12 and 2.2.7 ↗
- ·Red Hat JBoss EAP 7, EAP 8, and Red Hat Fuse 7 ship mina-core but are listed as NOT affected; do not apply detections blindly to those environments ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
ghsa·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CWE-502 Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
App
GHSA
GHSA-vf5j-865m-mq7c: The fix for CVE-2026-41635 was not applied to the 2
ghsa_unreviewed·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CWE-502 GHSA-vf5j-865m-mq7c: The fix for CVE-2026-41635 was not applied to the 2
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
GHSA
GHSA-8297-v2rf-2p32: Apache MINA's AbstractIoBuffer
ghsa_unreviewed·2026-04-27
CVE-2026-41635 [CRITICAL] CWE-502 GHSA-8297-v2rf-2p32: Apache MINA's AbstractIoBuffer
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and
2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
VulDB
Apache MINA up to 2.0.27/2.1.10/2.2.5 acceptMatchers Filter AbstractIoBuffer.resolveClass deserialization
vuldb·2026-04-27·CVSS 9.8
CVE-2026-41635 [CRITICAL] Apache MINA up to 2.0.27/2.1.10/2.2.5 acceptMatchers Filter AbstractIoBuffer.resolveClass deserialization
A vulnerability identified as critical has been detected in Apache MINA up to 2.0.27/2.1.10/2.2.5. This issue affects the function AbstractIoBuffer.resolveClass of the component acceptMatchers Filter. Performing a manipulation results in deserialization.
This vulnerability is identified as CVE-2026-41635. The attack can be initiated remotely. There is not any exploit available.
You should upgrade the affected component.
GHSA
Apache MINA vulnerable to Deserialization of Untrusted Data
ghsa·2026-04-27
CVE-2026-41635 [CRITICAL] CWE-502 Apache MINA vulnerable to Deserialization of Untrusted Data
Apache MINA vulnerable to Deserialization of Untrusted Data
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Red Hat
Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
vendor_redhat·2026-04-27·CVSS 9.8
CVE-2026-41635 [CRITICAL] CWE-502 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the `AbstractIoBuffer.resolveClass()` method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing an attacker to execute arbitrary code on systems running applications that use Apache MINA and call `IoBuffer.getObject()`. This could lead to a complete compromise of the affected system.
Package: jenkins (OpenShift Developer Tools and Services) - Affected
Package: jenkins-2-plugins (OpenShift Developer Tools and Services) - Affected
Package: ocp-tools-4/jenkins-rhel8 (OpenShift Developer Tools and Services)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
bugzilla·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObje
Bugzilla
CVE-2026-41635 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
bugzilla·2026-04-27·CVSS 9.8
CVE-2026-41635 [CRITICAL] CVE-2026-41635 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
CVE-2026-41635 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and
2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Bugzilla
CVE-2026-41635 apache-commons-vfs: Apache MINA: Arbitrary code execution via classname allowlist bypass [fedora-all]
bugzilla·2026-04-27·CVSS 9.8
CVE-2026-41635 [CRITICAL] CVE-2026-41635 apache-commons-vfs: Apache MINA: Arbitrary code execution via classname allowlist bypass [fedora-all]
CVE-2026-41635 apache-commons-vfs: Apache MINA: Arbitrary code execution via classname allowlist bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-04-27
Published