cbcvebase.
CVE-2026-41635
published 2026-04-27

CVE-2026-41635: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.64%
46.1th percentile
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Affected

12 ranges
VendorProductVersion rangeFixed in
apachemina>= 2.0.0 < 2.0.282.0.28
apachemina>= 2.1.0 < 2.1.112.1.11
apachemina>= 2.1.0 < 2.1.122.1.12
apachemina>= 2.2.0 < 2.2.62.2.6
apachemina>= 2.2.0 < 2.2.72.2.7
apache_software_foundationapache_mina2.1.X – 2.1.11
apache_software_foundationapache_mina2.2.X – 2.2.6
javapackages-tools_201801maven-wagon
jenkinsjenkins
maven_3.9maven-wagon
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable method is AbstractIoBuffer.resolveClass() in Apache MINA — monitor for deserialization calls through this method, particularly for static classes or primitive types that bypass the classname allowlist
  • Detection focus: applications invoking IoBuffer.getObject() are the attack surface — audit or monitor calls to this method in Apache MINA-based applications
  • The fix applies the classname allowlist check before Class.forName() — absence of this check in the resolveClass() static/primitive branch indicates a vulnerable version; use code analysis or IAST to verify the guard is present
  • A remote attacker can exploit this via network-delivered deserialization payloads — monitor for unexpected or anomalous Java deserialization traffic on ports used by Apache MINA services
  • ·Affected Apache MINA versions: 2.0.0–2.0.27, 2.1.0–2.1.10, 2.2.0–2.2.5; fixed in 2.0.28, 2.1.11, 2.2.6 — however, the fix was NOT applied to 2.1.x and 2.2.x branches (tracked as CVE-2026-42779), so 2.1.11 and 2.2.6 remain vulnerable
  • ·CVE-2026-42779 extends the affected range: Apache MINA 2.1.0–2.1.11 and 2.2.0–2.2.6 remain vulnerable; fully fixed only in 2.1.12 and 2.2.7
  • ·Red Hat JBoss EAP 7, EAP 8, and Red Hat Fuse 7 ship mina-core but are listed as NOT affected; do not apply detections blindly to those environments

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.