CVE-2026-42779
Published: 01 May 2026
Summary
CVE-2026-42779 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Mina. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the deserialization flaw in vulnerable Apache MINA versions to the fixed releases 2.1.12 or 2.2.7.
Requires vulnerability scanning to identify deployments of affected Apache MINA versions vulnerable to CVE-2026-42779.
Enforces validation of untrusted serialized data supplied to Apache MINA's IoBuffer.getObject() to block malicious payloads exploiting the classname allowlist bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote network deserialization flaw (CWE-502) in Apache MINA's IoBuffer.getObject() that bypasses allowlists to enable arbitrary code execution via Class.forName() with no authentication or user interaction required, directly mapping to exploitation of public-facing applications.
NVD Description
The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at…
more
all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.
Deeper analysisAI
CVE-2026-42779 is a vulnerability in Apache MINA stemming from an incomplete fix for the prior CVE-2026-41635. In Apache MINA's AbstractIoBuffer.resolveClass() method, one code branch handling static classes or primitive types bypasses the classname allowlist entirely, enabling arbitrary code execution through unchecked Class.forName() calls during deserialization. The issue affects Apache MINA versions 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, specifically applications that invoke IoBuffer.getObject().
Remote attackers require no privileges, authentication, or user interaction to exploit this over the network with low complexity. By supplying malicious serialized data to an affected IoBuffer.getObject() call, they can trigger the bypass and execute arbitrary code, potentially compromising confidentiality, integrity, and availability with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-502 (Deserialization of Untrusted Data).
The Apache security advisory, detailed at https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0, states the vulnerability is resolved in Apache MINA 2.1.12 and 2.2.7 by applying the classname allowlist check earlier in the resolveClass() flow. Affected applications are advised to upgrade to these patched versions immediately.
Details
- CWE(s)