CVE-2026-42778

CriticalRCE

Published: 01 May 2026

Published

01 May 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0019 40.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42778 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Mina. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely flaw remediation, such as upgrading Apache MINA to versions 2.1.12 or 2.2.7 where the deserialization classname allowlist is applied early to block static initializer execution.

CM-10 Software Usage Restrictions good match

prevent

Enforces software usage restrictions via allowlists or blocklists to prohibit vulnerable Apache MINA versions 2.1.0-2.1.11 and 2.2.0-2.2.6 on the system.

SI-10 Information Input Validation partial match

prevent

Validates untrusted network inputs prior to deserialization in IoBuffer.getObject() to block malicious serialized data containing exploitable gadget classes.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated deserialization of untrusted data in a network framework enables exploitation of public-facing applications (T1190) leading to arbitrary code execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied…

too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

Deeper analysisAI

CVE-2026-42778 is a vulnerability in Apache MINA stemming from an incomplete fix for CVE-2026-41409, which itself addressed an earlier incomplete patch for CVE-2024-52046 in the AbstractIoBuffer.getObject() method. The issue occurs because the classname allowlist for deserialization is applied too late, potentially allowing static initializers in untrusted classes to execute during object deserialization. Affected versions include Apache MINA 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, impacting applications that use Apache MINA and invoke the IoBuffer.getObject() method.

Attackers can exploit this remotely over the network with low complexity, requiring no privileges or user interaction, as indicated by the CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). A remote unauthenticated attacker could send malicious serialized data to a vulnerable application, triggering execution of static initializers in a gadget class before allowlist validation, leading to arbitrary code execution and high impacts on confidentiality, integrity, and availability (CWE-502: Deserialization of Untrusted Data).

The Apache advisory recommends upgrading to Apache MINA 2.1.12 or 2.2.7, where the classname allowlist is applied earlier in the deserialization process to prevent premature static initializer execution. Details are available in the Apache mailing list thread at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0.

Details

CWE(s): CWE-502

Affected Products

apache

mina

2.1.0 — 2.1.12 · 2.2.0 — 2.2.7

CVEs Like This One

CVE-2026-41409Same product: Apache Mina

CVE-2026-42779Same product: Apache Mina

CVE-2026-41635Same product: Apache Mina

CVE-2024-56180Same vendor: Apache

CVE-2026-40860Same vendor: Apache

CVE-2025-61622Same vendor: Apache

CVE-2026-25747Same vendor: Apache

CVE-2026-40473Same vendor: Apache

CVE-2026-33454Same vendor: Apache

CVE-2025-53606Same vendor: Apache

References

https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0
Mailing List, Patch, Vendor Advisory · security@apache.org