CVE-2026-42779

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0	Patch Vendor Advisory Mailing List

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:apache:mina::::::::
	cpe:2.3:a:apache:mina::::::::

History

01 May 2026, 17:55

Type	Values Removed	Values Added
First Time		Apache Apache mina
References	~~() https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0 -~~	() https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0 - Patch, Vendor Advisory, Mailing List
CPE		cpe:2.3:a:apache:mina::::::::

01 May 2026, 11:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-01 11:16

Updated : 2026-05-01 17:55

NVD link : CVE-2026-42779

Mitre link : CVE-2026-42779

CVE.ORG link : CVE-2026-42779

JSON object : View

Products Affected

apache

mina

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2026-42779", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@apache.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-05-01T11:16:19.537", "references": [{"url": "https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0", "tags": ["Patch", "Vendor Advisory", "Mailing List"], "source": "security@apache.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\n\n\n\n\n\n\n\nApache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter before calling Class.forName(). \n\n\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."}], "lastModified": "2026-05-01T17:55:28.940", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BD7E18F5-1CE6-4CD7-8A0D-BD0C2574FF12", "versionEndExcluding": "2.1.12", "versionStartIncluding": "2.1.0"}, {"criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "758E989E-5CB0-471C-AADB-43EB3FB95407", "versionEndExcluding": "2.2.7", "versionStartIncluding": "2.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}