CVE-2026-42779
published 2026-05-01CVE-2026-42779: The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.90%
55.2th percentile
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | mina | >= 2.1.0 < 2.1.12 | 2.1.12 |
| apache | mina | >= 2.2.0 < 2.2.7 | 2.2.7 |
| javapackages-tools_201801 | maven-wagon | — | — |
| jenkins | jenkins | — | — |
| maven_3.9 | maven-wagon | — | — |
| ocp-tools-4 | jenkins-rhel8 | — | — |
| ocp-tools-4 | jenkins-rhel9 | — | — |
| ubuntu | mina2 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target applications using Apache MINA that call IoBuffer.getObject() — this is the specific code path that triggers the classname allowlist bypass in AbstractIoBuffer.resolveClass() ↗
- →Focus detection on deserialization of specially crafted serialized objects sent over the network to Apache MINA listeners ↗
- →The vulnerable code path is the static-class/primitive-type branch of AbstractIoBuffer.resolveClass() — monitor for unexpected class loading via Class.forName() triggered from this method in MINA 2.1.0–2.1.11 or 2.2.0–2.2.6 ↗
- →Affected version ranges for triage/detection scoping: Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6 ↗
- ·Red Hat states the vulnerable code cannot be reached in most of their products despite being present — validate reachability of IoBuffer.getObject() before treating affected packages as exploitable ↗
- ·This CVE is a re-occurrence of CVE-2026-41635: the original fix was not backported to the 2.1.X and 2.2.X branches — environments that patched CVE-2026-41635 on 2.0.X may still be vulnerable on these branches ↗
- ·The fix applies the classname allowlist check earlier, before Class.forName() is called — detection logic or WAF rules should account for the pre-fix behaviour where static/primitive-type class descriptors bypass the filter entirely ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
ghsa·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CWE-502 Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
Apache MINA vulnerable to Deserialization of Untrusted Data (CVE-2026-41635 Incomplete Fix)
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
App
GHSA
GHSA-vf5j-865m-mq7c: The fix for CVE-2026-41635 was not applied to the 2
ghsa_unreviewed·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CWE-502 GHSA-vf5j-865m-mq7c: The fix for CVE-2026-41635 was not applied to the 2
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade.
Ubuntu
Apache MINA vulnerabilities
vendor_ubuntu·2026-06-23·CVSS 9.8
CVE-2026-47065 [CRITICAL] Apache MINA vulnerabilities
Title: Apache MINA vulnerabilities
Summary: Apache MINA could be made to run programs if it received specially crafted
network traffic.
It was discovered that Apache MINA lacked an acceptMatchers allowlist
mechanism to restrict which classes could be deserialized. An attacker
could use this to execute arbitrary code. This issue only affected
Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. (CVE-2024-52046)
It was discovered that Apache MINA's deserialization filter could be
bypassed via multiple code paths. An attacker could use this to execute
arbitrary code by sending a specially crafted serialized object over the
network. (CVE-2026-42778, CVE-2026-42779, CVE-2026-47065)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
vendor_redhat·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CWE-502 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
A flaw was found in Apache MINA. An attacker can exploit a vulnerability in the AbstractIoBuffer.resolveClass() method, specifically when IoBuffer.getObject() is called, to bypass the classname allowlist. This bypass allows for the execution of arbitrary code, potentially leading to full system compromise.
Statement: Red Hat products are affected by this vulnerability. However, the vulnerable code cannot be reached and therefore are not vulnerable. Due to this reason, this flaw has been rated with a low severity.
Package: jenkins (OpenShift Developer Tools and Services) - Affected
Package: jenkins-2-plugins (OpenShift Developer Tools and Services) - Affected
Package: ocp-tools-4/jenkins-rhel8 (OpenShift
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-42779 apache-commons-vfs: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass [fedora-all]
bugzilla·2026-05-14·CVSS 9.8
CVE-2026-42779 [CRITICAL] CVE-2026-42779 apache-commons-vfs: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass [fedora-all]
CVE-2026-42779 apache-commons-vfs: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
bugzilla·2026-05-01·CVSS 9.8
CVE-2026-42779 [CRITICAL] CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
CVE-2026-42779 Apache MINA: Apache MINA: Arbitrary Code Execution via Classname Allowlist Bypass
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks if the class is present in the accepted class filter before calling Class.forName().
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by
applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObje
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
2026-05-01
Published