CVE Catalog

CVE-2026-42778

Critical
Published: Translated: NVD NIST

Summary

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches of Apache MINA. The issue concerns an incomplete fix for CVE-2024-52046, where the classname allowlist for deserialization was applied too late.

Risk Assessment

Applications using Apache MINA may be vulnerable to deserialization attacks, potentially leading to unauthorized access or execution of malicious code.

Recommendation

It is recommended to upgrade to Apache MINA versions 2.1.12 or 2.2.7 to apply the security fixes.

Original NVD description (English source)

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <=

Vulnerability data from NVD (NIST) · CISA KEV · EPSS