CVE-2026-41409
Published: 27 April 2026
Summary
CVE-2026-41409 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Mina. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-41409 by requiring timely remediation through upgrading to patched Apache MINA versions 2.0.28, 2.1.11, or 2.2.6 as specified in the vendor advisory.
Vulnerability scanning identifies systems running affected Apache MINA versions (2.0.0-2.0.27, 2.1.0-2.1.10, 2.2.0-2.2.5) vulnerable to this deserialization flaw.
Integrity verification of Apache MINA library binaries ensures only authorized, patched versions are deployed, preventing exploitation via tampered or unpatched deserialization code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-41409 enables remote unauthenticated arbitrary code execution via deserialization in Apache MINA, a network application framework, directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions…
more
are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade
Deeper analysisAI
CVE-2026-41409 is a deserialization vulnerability in Apache MINA's AbstractIoBuffer.getObject() method, stemming from an incomplete fix for CVE-2024-52046. The classname allowlist intended to restrict deserializable classes is applied too late, permitting static initializers in potentially malicious classes to execute beforehand. This affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5, specifically impacting applications that invoke IoBuffer.getObject().
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity, as indicated by its CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying crafted serialized data, an unauthenticated adversary can trigger execution of static initializers in disallowed classes (CWE-502), potentially leading to arbitrary code execution and high-impact compromise of confidentiality, integrity, and availability.
The Apache advisory at https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9 states that the issue is fixed in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier in the process. Affected applications are advised to upgrade to these patched versions.
Details
- CWE(s)