Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42778 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | Apache Software Foundation |
| Product | Apache MINA |
| CVSS Score | 9.8 (critical) |
| EPSS Score | 0.0% (percentile: 14%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Original issue description:
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late - a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.
The problem is resolved in Apache MINA 2.1.12 and the corresponding fix release in the 2.2.X branch.
Required Actions
Update Apache MINA to version 2.1.12 (2.1.X branch) or the corresponding fix release in the 2.2.X branch (>= 2.2.7) immediately. Until updated, do not deserialize data from untrusted sources via AbstractIoBuffer.getObject() and consider configuring a very restrictive class-filter allowlist. Review logs of MINA-based applications for unexpected deserialization activity.
Who Is Affected?
This vulnerability affects Apache MINA by the Apache Software Foundation in the 2.1.X and 2.2.X branches. Check whether your organization uses Apache MINA as a networking library in Java applications and roll out the update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
