V
Scaner-VS
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
CVE-2026-41635
ANC
Critical

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the…

CVSS
9.8
Critical
EPSS
0.01
p45
Published
2026-01-01
Updated
2026-01-01
Description

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName().  Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call  IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Tags · CWE
Pre-auth
CWE-502
CAPEC-586
Affected products
Mina 2.0.0–2.0.28Mina 2.1.0–2.1.11Mina 2.2.0–2.2.6
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Timeline
2026-01-01
Published
2026-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: N
None (N)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.006 · p45
Known exploited (KEV)
No
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
ProductVendorStatus
Tracked
minaTracked
minaTracked
minaTracked
mina2Tracked
mina2Tracked
mina2Tracked
mina2Tracked
mina*Tracked