Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-42779 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-05-01 |
| Vendor | Apache Software Foundation |
| Product | Apache MINA |
| CVSS Score | 9.8 (critical) |
| EPSS Score | 0.0% (percentile: 14%) |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Original issue description:
Apache MINA’s AbstractIoBuffer.resolveClass() contains two branches; one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.
The fix checks whether the class is present in the accepted class filter before calling Class.forName().
Affected versions include Apache MINA in the 2.1.X branch (<= 2.1.11) and 2.2.X branch (<= 2.2.6); a fix is available in the corresponding newer releases.
Required Actions
Update Apache MINA to a release that contains the fix on both branches: 2.1.X (>= 2.1.12) and 2.2.X (>= 2.2.7). Until updated, do not accept serialized data from untrusted sources and enforce a strict class-filter policy. Audit project dependencies (mvn dependency:tree, gradle dependencies) for vulnerable Apache MINA versions.
Who Is Affected?
This vulnerability affects Apache MINA by the Apache Software Foundation in the 2.1.X and 2.2.X branches. Check whether your organization uses Apache MINA as a networking library and roll out the update.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
