CVE-2026-41635

Critical

Published: 27 April 2026

Published

27 April 2026

Modified

29 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0014 32.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is…

present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, prioritization, and remediation of the deserialization flaw through upgrading vulnerable Apache MINA versions.

SI-10 Information Input Validation partial match

prevent

Addresses deserialization of untrusted data by mandating validation of inputs like serialized objects to block malicious classes bypassing the allowlist.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Enables detection of the vulnerable Apache MINA versions in the environment through regular vulnerability scanning, supporting timely flaw remediation.

Security SummaryAI

CVE-2026-41635 is a critical deserialization vulnerability in Apache MINA's AbstractIoBuffer.resolveClass() method, where one code branch handling static classes or primitive types bypasses the classname allowlist entirely. This flaw enables arbitrary code execution without validation. It affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.11, and 2.2.0 through 2.2.5, specifically impacting applications that invoke the IoBuffer.getObject() method.

A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying malicious serialized data to an affected IoBuffer.getObject() call, the attacker bypasses deserialization protections, achieving remote code execution on the target system with high confidentiality, integrity, and availability impacts (CWE-502: Deserialization of Untrusted Data).

The Apache security advisory recommends upgrading to resolved versions Apache MINA 2.0.28, 2.1.11, or 2.2.6, where the fix enforces classname allowlist checks earlier by validating classes against the accepted filter before invoking Class.forName(). Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/27/4.

Details

CWE(s): CWE-502

Affected Products

apache

mina

2.0.0 — 2.0.28 · 2.1.0 — 2.1.11 · 2.2.0 — 2.2.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote, unauthenticated arbitrary code execution via deserialization in a network application (Apache MINA), directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/27/4
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108