CVE-2026-41409: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache MINA
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
AI Analysis
Technical Summary
This vulnerability (CVE-2026-41409) in Apache MINA involves unsafe deserialization due to the classname allowlist being applied too late during the deserialization process in AbstractIoBuffer.getObject(). This allows potentially malicious data to be deserialized before the allowlist check is enforced, which can lead to remote code execution or other severe impacts. The affected versions are 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5. The issue was introduced as an incomplete fix for CVE-2024-52046. The vendor fixed the issue in versions 2.0.28, 2.1.11, and 2.2.6 by applying the allowlist earlier in the deserialization process. The CVSS v3.1 score is 9.8 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to remote code execution or other severe impacts due to unsafe deserialization of untrusted data. The vulnerability affects confidentiality, integrity, and availability of affected systems. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
A fix is available in Apache MINA versions 2.0.28, 2.1.11, and 2.2.6, which apply the classname allowlist earlier in the deserialization process. Applications using affected versions that call IoBuffer.getObject() should upgrade to one of these fixed versions to remediate the vulnerability. Patch status is confirmed by the vendor advisory. No alternative mitigations or temporary fixes are indicated.
CVE-2026-41409: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache MINA
Description
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
CVSS v3.1
Score 9.8critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-41409) in Apache MINA involves unsafe deserialization due to the classname allowlist being applied too late during the deserialization process in AbstractIoBuffer.getObject(). This allows potentially malicious data to be deserialized before the allowlist check is enforced, which can lead to remote code execution or other severe impacts. The affected versions are 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, and 2.2.0 to 2.2.5. The issue was introduced as an incomplete fix for CVE-2024-52046. The vendor fixed the issue in versions 2.0.28, 2.1.11, and 2.2.6 by applying the allowlist earlier in the deserialization process. The CVSS v3.1 score is 9.8 (critical), reflecting network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability.
Potential Impact
Successful exploitation of this vulnerability can lead to remote code execution or other severe impacts due to unsafe deserialization of untrusted data. The vulnerability affects confidentiality, integrity, and availability of affected systems. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
A fix is available in Apache MINA versions 2.0.28, 2.1.11, and 2.2.6, which apply the classname allowlist earlier in the deserialization process. Applications using affected versions that call IoBuffer.getObject() should upgrade to one of these fixed versions to remediate the vulnerability. Patch status is confirmed by the vendor advisory. No alternative mitigations or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-20T15:04:54.505Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef33a6ba26a39fba154139
Added to database: 4/27/2026, 10:00:06 AM
Last enriched: 4/27/2026, 10:15:08 AM
Last updated: 6/11/2026, 5:16:07 PM
Views: 514
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.