CVE-2026-41409

Critical

Published: 27 April 2026

Published

27 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions…

are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-41409 by requiring timely remediation through upgrading to patched Apache MINA versions 2.0.28, 2.1.11, or 2.2.6 as specified in the vendor advisory.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running affected Apache MINA versions (2.0.0-2.0.27, 2.1.0-2.1.10, 2.2.0-2.2.5) vulnerable to this deserialization flaw.

SI-7 Software, Firmware, and Information Integrity partial match

preventdetect

Integrity verification of Apache MINA library binaries ensures only authorized, patched versions are deployed, preventing exploitation via tampered or unpatched deserialization code.

Security SummaryAI

CVE-2026-41409 is a deserialization vulnerability in Apache MINA's AbstractIoBuffer.getObject() method, stemming from an incomplete fix for CVE-2024-52046. The classname allowlist intended to restrict deserializable classes is applied too late, permitting static initializers in potentially malicious classes to execute beforehand. This affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5, specifically impacting applications that invoke IoBuffer.getObject().

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying crafted serialized data, an unauthenticated adversary can trigger execution of static initializers in disallowed classes (CWE-502), potentially leading to arbitrary code execution and high-impact compromise of confidentiality, integrity, and availability.

The Apache advisory at https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9 states that the issue is fixed in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier in the process. Affected applications are advised to upgrade to these patched versions.

Details

CWE(s): CWE-502

Affected Products

apache

mina

2.0.0 — 2.0.28 · 2.1.0 — 2.1.11 · 2.2.0 — 2.2.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2026-41409 enables remote unauthenticated arbitrary code execution via deserialization in Apache MINA, a network application framework, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9
Mailing List, Vendor Advisory · security@apache.org