Cyber Resilience

CVE-2026-42778

CriticalRCE

Published: 01 May 2026

Published
01 May 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0066 46.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-42778 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Mina. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42778 is a vulnerability in Apache MINA stemming from an incomplete fix for CVE-2026-41409, which itself addressed an earlier incomplete patch for CVE-2024-52046 in the AbstractIoBuffer.getObject() method. The issue occurs because the classname allowlist for deserialization is applied too late, potentially allowing static initializers in untrusted classes to execute during object deserialization. Affected versions include Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, impacting applications that use Apache MINA and invoke the IoBuffer.getObject() method.

Attackers can exploit this remotely over the network with low complexity, requiring no privileges or user interaction, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A remote unauthenticated attacker could send malicious serialized data to a vulnerable application, triggering execution of static initializers in a gadget class before allowlist validation, leading to arbitrary code execution and high impacts on confidentiality, integrity, and availability (CWE-502: Deserialization of Untrusted Data).

The Apache advisory recommends upgrading to Apache MINA 2.1.12 or 2.2.7, where the classname allowlist is applied earlier in the deserialization process to prevent premature static initializer execution. Details are available in the Apache mailing list thread at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied…

more

too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated deserialization of untrusted data in a network framework enables exploitation of public-facing applications (T1190) leading to arbitrary code execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41635Same product: Apache Mina
CVE-2026-42779Same product: Apache Mina
CVE-2026-41409Same product: Apache Mina
CVE-2024-56180Same vendor: Apache
CVE-2025-53606Same vendor: Apache
CVE-2026-42359Same vendor: Apache
CVE-2026-40473Same vendor: Apache
CVE-2024-52577Same vendor: Apache
CVE-2026-40860Same vendor: Apache
CVE-2026-25747Same vendor: Apache

Affected Assets

apache
mina
2.1.0 — 2.1.12 · 2.2.0 — 2.2.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely flaw remediation, such as upgrading Apache MINA to versions 2.1.12 or 2.2.7 where the deserialization classname allowlist is applied early to block static initializer execution.

prevent

Enforces software usage restrictions via allowlists or blocklists to prohibit vulnerable Apache MINA versions 2.1.0-2.1.11 and 2.2.0-2.2.6 on the system.

prevent

Validates untrusted network inputs prior to deserialization in IoBuffer.getObject() to block malicious serialized data containing exploitable gadget classes.

References