CVE-2026-41635
Class Allowlist Bypass in Apache MINA IoBuffer Enables RCE
Publication date: 2026-04-27
Last updated on: 2026-04-29
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | mina | From 2.0.0 (inc) to 2.0.28 (exc) |
| apache | mina | From 2.1.0 (inc) to 2.1.11 (exc) |
| apache | mina | From 2.2.0 (inc) to 2.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Apache MINA's AbstractIoBuffer.resolveClass() method, where one code branch for static classes or primitive types does not verify the class against a classname allowlist. This bypass allows arbitrary code execution by loading classes without proper validation.
The issue affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The fix involves applying the classname allowlist check earlier before calling Class.forName(), preventing unauthorized classes from being loaded.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on systems using affected versions of Apache MINA that call IoBuffer.getObject(). An attacker could exploit this to run malicious code remotely without authentication, potentially compromising confidentiality, integrity, and availability of the affected system.
What immediate steps should I take to mitigate this vulnerability?
Applications using Apache MINA that call IoBuffer.getObject() are advised to upgrade to fixed versions.
- Upgrade Apache MINA to version 2.0.28 or later if using 2.0.x.
- Upgrade Apache MINA to version 2.1.11 or later if using 2.1.x.
- Upgrade Apache MINA to version 2.2.6 or later if using 2.2.x.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache MINA allows arbitrary code execution by bypassing the classname allowlist during deserialization. This can lead to unauthorized access, data breaches, or manipulation of sensitive information.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Therefore, applications using affected versions of Apache MINA that do not upgrade may be at risk of non-compliance due to potential data confidentiality, integrity, and availability violations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of Apache MINA (2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5) where the AbstractIoBuffer.resolveClass() method does not properly enforce the classname allowlist, allowing arbitrary code execution via IoBuffer.getObject() calls.
Detection can focus on identifying the presence of vulnerable Apache MINA versions on your systems or applications. This can be done by checking the version of Apache MINA libraries in use.
Suggested commands to detect vulnerable versions include:
- Using package management or dependency tools to list Apache MINA versions, for example, in a Linux environment: `rpm -qa | grep mina` or `dpkg -l | grep mina`.
- Searching within application directories or JAR files for Apache MINA version information, e.g., `unzip -p yourapp.jar META-INF/MANIFEST.MF | grep Mina` or `strings yourapp.jar | grep 'Apache MINA'`.
- Reviewing application logs or configurations that might indicate usage of IoBuffer.getObject() calls or related Apache MINA components.
Network detection of exploitation attempts is not detailed in the provided resources, so specific network commands or signatures cannot be suggested.