This vulnerability (CVE-2026-41409) in Apache MINA involves unsafe deserialization due to the classname allowlist being applied too late during the deserialization process in AbstractIoBuffer.getObject(). This allows potentially malicious data to be deserialized before the allowlist check is enforced, which can lead to remote code execution or other severe impacts. The affected versions are 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5. The issue was introduced as an incomplete fix for CVE-2024-52046. The vendor fixed the issue in versions 2.0.28, 2.1.11, and 2.2.6 by applying the allowlist earlier in the deserialization process. The CVSS v3.1 score is 9.8 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to remote code execution or other severe impacts due to unsafe deserialization of untrusted data. The vulnerability affects confidentiality, integrity, and availability of affected systems. There are no known exploits in the wild at the time of publication.

A fix is available in Apache MINA versions 2.0.28, 2.1.11, and 2.2.6, which apply the classname allowlist earlier in the deserialization process. Applications using affected versions that call IoBuffer.getObject() should upgrade to one of these fixed versions to remediate the vulnerability. Patch status is confirmed by the vendor advisory. No alternative mitigations or temporary fixes are indicated.