CVE-2026-41409

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9	Mailing List Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:mina::::::::
	cpe:2.3:a:apache:mina::::::::
	cpe:2.3:a:apache:mina::::::::

History

29 Apr 2026, 19:08

Type	Values Removed	Values Added
CPE		cpe:2.3:a:apache:mina::::::::
First Time		Apache Apache mina
References	~~() https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9 -~~	() https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9 - Mailing List, Vendor Advisory

27 Apr 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-27 10:16

Updated : 2026-04-29 19:08

NVD link : CVE-2026-41409

Mitre link : CVE-2026-41409

CVE.ORG link : CVE-2026-41409

JSON object : View

Products Affected

apache

mina

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-41409", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-04-27T10:16:09.740", "references": [{"url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"}], "lastModified": "2026-04-29T19:08:07.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD2A5F4E-7B53-4235-BE01-DD9B9E3614E0", "versionEndExcluding": "2.0.28", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E69C9219-F00B-4677-88B8-3263615586BD", "versionEndExcluding": "2.1.11", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC86281C-5EBB-4250-8575-50EB77E76F3E", "versionEndExcluding": "2.2.6", "versionStartIncluding": "2.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}