cbcvebase.
CVE-2026-42779
published 2026-05-01

CVE-2026-42779: The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.90%
55.2th percentile
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Affected

8 ranges
VendorProductVersion rangeFixed in
apachemina>= 2.1.0 < 2.1.122.1.12
apachemina>= 2.2.0 < 2.2.72.2.7
javapackages-tools_201801maven-wagon
jenkinsjenkins
maven_3.9maven-wagon
ocp-tools-4jenkins-rhel8
ocp-tools-4jenkins-rhel9
ubuntumina2

Detection & IOCsextracted from sources · hover to see the quote

  • Target applications using Apache MINA that call IoBuffer.getObject() — this is the specific code path that triggers the classname allowlist bypass in AbstractIoBuffer.resolveClass()
  • Focus detection on deserialization of specially crafted serialized objects sent over the network to Apache MINA listeners
  • The vulnerable code path is the static-class/primitive-type branch of AbstractIoBuffer.resolveClass() — monitor for unexpected class loading via Class.forName() triggered from this method in MINA 2.1.0–2.1.11 or 2.2.0–2.2.6
  • Affected version ranges for triage/detection scoping: Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6
  • ·Red Hat states the vulnerable code cannot be reached in most of their products despite being present — validate reachability of IoBuffer.getObject() before treating affected packages as exploitable
  • ·This CVE is a re-occurrence of CVE-2026-41635: the original fix was not backported to the 2.1.X and 2.2.X branches — environments that patched CVE-2026-41635 on 2.0.X may still be vulnerable on these branches
  • ·The fix applies the classname allowlist check earlier, before Class.forName() is called — detection logic or WAF rules should account for the pre-fix behaviour where static/primitive-type class descriptors bypass the filter entirely

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.