CVE-2026-42778
Published: 01 May 2026
Description
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied…
more
too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely flaw remediation, such as upgrading Apache MINA to versions 2.1.12 or 2.2.7 where the deserialization classname allowlist is applied early to block static initializer execution.
Enforces software usage restrictions via allowlists or blocklists to prohibit vulnerable Apache MINA versions 2.1.0-2.1.11 and 2.2.0-2.2.6 on the system.
Validates untrusted network inputs prior to deserialization in IoBuffer.getObject() to block malicious serialized data containing exploitable gadget classes.
Security SummaryAI
CVE-2026-42778 is a vulnerability in Apache MINA stemming from an incomplete fix for CVE-2026-41409, which itself addressed an earlier incomplete patch for CVE-2024-52046 in the AbstractIoBuffer.getObject() method. The issue occurs because the classname allowlist for deserialization is applied too late, potentially allowing static initializers in untrusted classes to execute during object deserialization. Affected versions include Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, impacting applications that use Apache MINA and invoke the IoBuffer.getObject() method.
Attackers can exploit this remotely over the network with low complexity, requiring no privileges or user interaction, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A remote unauthenticated attacker could send malicious serialized data to a vulnerable application, triggering execution of static initializers in a gadget class before allowlist validation, leading to arbitrary code execution and high impacts on confidentiality, integrity, and availability (CWE-502: Deserialization of Untrusted Data).
The Apache advisory recommends upgrading to Apache MINA 2.1.12 or 2.2.7, where the classname allowlist is applied earlier in the deserialization process to prevent premature static initializer execution. Details are available in the Apache mailing list thread at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated deserialization of untrusted data in a network framework enables exploitation of public-facing applications (T1190) leading to arbitrary code execution (T1059).