CVE-2026-41635
Received Received - Intake
Class Allowlist Bypass in Apache MINA IoBuffer Enables RCE

Publication date: 2026-04-27

Last updated on: 2026-04-29

Assigner: Apache Software Foundation

Description
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filterΒ before callingΒ Class.forName().Β  Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that callΒ  IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41635
EUVD
EUVD-2026-25796
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache mina From 2.0.0 (inc) to 2.0.28 (exc)
apache mina From 2.1.0 (inc) to 2.1.11 (exc)
apache mina From 2.2.0 (inc) to 2.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Apache MINA's AbstractIoBuffer.resolveClass() method, where one code branch for static classes or primitive types does not verify the class against a classname allowlist. This bypass allows arbitrary code execution by loading classes without proper validation.

The issue affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The fix involves applying the classname allowlist check earlier before calling Class.forName(), preventing unauthorized classes from being loaded.

Impact Analysis

This vulnerability can lead to arbitrary code execution on systems using affected versions of Apache MINA that call IoBuffer.getObject(). An attacker could exploit this to run malicious code remotely without authentication, potentially compromising confidentiality, integrity, and availability of the affected system.

Mitigation Strategies

Applications using Apache MINA that call IoBuffer.getObject() are advised to upgrade to fixed versions.

  • Upgrade Apache MINA to version 2.0.28 or later if using 2.0.x.
  • Upgrade Apache MINA to version 2.1.11 or later if using 2.1.x.
  • Upgrade Apache MINA to version 2.2.6 or later if using 2.2.x.
Detection Guidance

This vulnerability affects specific versions of Apache MINA (2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5) where the AbstractIoBuffer.resolveClass() method does not properly enforce the classname allowlist, allowing arbitrary code execution via IoBuffer.getObject() calls.

Detection can focus on identifying the presence of vulnerable Apache MINA versions on your systems or applications. This can be done by checking the version of Apache MINA libraries in use.

Suggested commands to detect vulnerable versions include:

  • Using package management or dependency tools to list Apache MINA versions, for example, in a Linux environment: `rpm -qa | grep mina` or `dpkg -l | grep mina`.
  • Searching within application directories or JAR files for Apache MINA version information, e.g., `unzip -p yourapp.jar META-INF/MANIFEST.MF | grep Mina` or `strings yourapp.jar | grep 'Apache MINA'`.
  • Reviewing application logs or configurations that might indicate usage of IoBuffer.getObject() calls or related Apache MINA components.

Network detection of exploitation attempts is not detailed in the provided resources, so specific network commands or signatures cannot be suggested.

Compliance Impact

The vulnerability in Apache MINA allows arbitrary code execution by bypassing the classname allowlist during deserialization. This can lead to unauthorized access, data breaches, or manipulation of sensitive information.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Therefore, applications using affected versions of Apache MINA that do not upgrade may be at risk of non-compliance due to potential data confidentiality, integrity, and availability violations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart