Cyber Posture

CVE-2026-42779

Critical

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at…

more

all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mandates timely patching of the deserialization flaw in vulnerable Apache MINA versions to the fixed releases 2.1.12 or 2.2.7.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Requires vulnerability scanning to identify deployments of affected Apache MINA versions vulnerable to CVE-2026-42779.

SI-10 Information Input Validation partial match
prevent

Enforces validation of untrusted serialized data supplied to Apache MINA's IoBuffer.getObject() to block malicious payloads exploiting the classname allowlist bypass.

Security SummaryAI

CVE-2026-42779 is a vulnerability in Apache MINA stemming from an incomplete fix for the prior CVE-2026-41635. In Apache MINA's AbstractIoBuffer.resolveClass() method, one code branch handling static classes or primitive types bypasses the classname allowlist entirely, enabling arbitrary code execution through unchecked Class.forName() calls during deserialization. The issue affects Apache MINA versions 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, specifically applications that invoke IoBuffer.getObject().

Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. By supplying malicious serialized data to an affected IoBuffer.getObject() call, they can trigger the bypass and execute arbitrary code, potentially compromising confidentiality, integrity, and availability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-502 (Deserialization of Untrusted Data).

The Apache security advisory, detailed at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0, states the vulnerability is resolved in Apache MINA 2.1.12 and 2.2.7 by applying the classname allowlist check earlier in the resolveClass() flow. Affected applications are advised to upgrade to these patched versions immediately.

Details

CWE(s)
CWE-502

Affected Products

apache
mina
2.1.0 — 2.1.12 · 2.2.0 — 2.2.7

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote network deserialization flaw (CWE-502) in Apache MINA's IoBuffer.getObject() that bypasses allowlists to enable arbitrary code execution via Class.forName() with no authentication or user interaction required, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References