CVE-2026-41635
Published: 27 April 2026
Summary
CVE-2026-41635 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Mina. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, prioritization, and remediation of the deserialization flaw through upgrading vulnerable Apache MINA versions.
Addresses deserialization of untrusted data by mandating validation of inputs like serialized objects to block malicious classes bypassing the allowlist.
Enables detection of the vulnerable Apache MINA versions in the environment through regular vulnerability scanning, supporting timely flaw remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote, unauthenticated arbitrary code execution via deserialization in a network application (Apache MINA), directly facilitating T1190: Exploit Public-Facing Application.
NVD Description
Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is…
more
present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
Deeper analysisAI
CVE-2026-41635 is a critical deserialization vulnerability in Apache MINA's AbstractIoBuffer.resolveClass() method, where one code branch handling static classes or primitive types bypasses the classname allowlist entirely. This flaw enables arbitrary code execution without validation. It affects Apache MINA versions 2.0.0 through 2.0.27, 2.1.0 through 2.1.11, and 2.2.0 through 2.2.5, specifically impacting applications that invoke the IoBuffer.getObject() method.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying malicious serialized data to an affected IoBuffer.getObject() call, the attacker bypasses deserialization protections, achieving remote code execution on the target system with high confidentiality, integrity, and availability impacts (CWE-502: Deserialization of Untrusted Data).
The Apache security advisory recommends upgrading to resolved versions Apache MINA 2.0.28, 2.1.11, or 2.2.6, where the fix enforces classname allowlist checks earlier by validating classes against the accepted filter before invoking Class.forName(). Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/27/4.
Details
- CWE(s)