Linux Distros Unpatched Vulnerability : CVE-2026-42779

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass...

Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass

A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the AbstractIoBuffer.resolveClass method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing ...

CVE-2026-42779

A flaw was found in Apache MINA. An attacker can exploit a vulnerability in the AbstractIoBuffer.resolveClass method, specifically when IoBuffer.getObject is called, to bypass the classname allowlist. This bypass allows for the execution of arbitrary code, potentially leading to full system...

OESA-2026-2243 apache-mina security update

Apache MINA is a network application framework which helps users develop high performance and high scalability network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO. Security Fixes: The fix for...

OESA-2026-2241 apache-mina security update

Apache MINA is a network application framework which helps users develop high performance and high scalability network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO. Security Fixes: The fix for...

Deserialization Vulnerability

Aache MINA is vulnerable to Unsafe Deserialization. The vulnerability is due to incomplete enforcement of a classname allowlist in AbstractIoBuffer.getObject, where deserialization occurs before validation, allowing execution of static initializers in malicious classes and potentially leading to...

CVE-2026-41409

A flaw was found in Apache MINA. An incomplete fix for a deserialization vulnerability in the AbstractIoBuffer.getObject method allowed a static initializer in a class to be executed before the classname allowlist was applied. This could enable a remote attacker to execute arbitrary code by sendi...

CVE-2026-42778

Apache MINA CVE-2026-42778 affects IoBuffer.getObject() deserialization. Affected: MINA 2.1.0–2.1.11 and 2.2.0–2.2.6 (also 2.1.0–2.1.110 in one note). Root cause: incomplete earlier fix for CVE-2024-52046; classname allowlist was applied too late. Impact: deserialization of untrusted data via IoB...

EUVD-2026-26492

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...

CVE-2026-42778

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...

CVE-2026-42778 Apache MINA: CWE-502 Deserialization of Untrusted Data (take 2)

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a stat...

CVE-2026-42779 Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...

EUVD-2026-26493

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing the classname...

Linux Distros Unpatched Vulnerability : CVE-2026-41635

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Apache MINA's AbstractIoBuffer.resolveClass contains two branches, one of them for static classes or primitive types does not check the class at all, bypassing...

CVE-2026-41409 Apache MINA: CWE-502 Deserialization of Untrusted Data

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 =...

CVE-2026-41409

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 =...

CVE-2026-41409 Apache MINA: CWE-502 Deserialization of Untrusted Data

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 =...

PT-2026-35373

Name of the Vulnerable Software and Affected Versions Apache MINA versions 2.0.0 through 2.0.27 Apache MINA versions 2.1.0 through 2.1.10 Apache MINA versions 2.2.0 through 2.2.5 Description A flaw in the resolveClass function of AbstractIoBuffer allows a bypass of the classname allowlist for...