Apache MINA allowlist bypass turns deserialization into network RCE
TL;DR - AbstractIoBuffer.resolveClass() has a branch for static classes and primitive types that skips the accepted-class allowlist entirely. Any MINA service calling IoBuffer.getObject() on untrusted bytes is exposed to unauthenticated RCE. CVSS 9.8. Upgrade to 2.0.28, 2.1.11, or 2.2.6.
What happened
Apache MINA (org.apache.mina:mina-core) is a Java network application framework used to build protocol servers and clients. CVE-2026-41635 is a deserialization allowlist bypass.
The framework exposes IoBuffer.getObject() to deserialize objects from the wire. Internally, AbstractIoBuffer.resolveClass() handles class resolution with two branches. One branch - hit when resolving static classes or primitive types - does not check the class against the accepted-class filter at all. That gap is enough to feed attacker-controlled class names past the allowlist and reach readObject(). The result is unauthenticated remote code execution.
| Item | Detail |
|---|---|
| Affected component | org.apache.mina:mina-core |
| Trigger surface | Applications calling IoBuffer.getObject() |
| Severity | CVSS 3.1 9.8 (Critical) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Affected versions | 2.0.0 to 2.0.27, 2.1.0 to 2.1.10, 2.2.0 to 2.2.5 |
| Fixed versions | 2.0.28, 2.1.11, 2.2.6 |
This is the canonical deserialization failure mode: a class filter that looks solid until one code path quietly avoids it. "Safe" deserialization gates drift, then readObject() becomes a remote execution primitive again. If you have any MINA-based service deserializing untrusted bytes, treat this as high priority.
Who is impacted
- Applications that depend on
org.apache.mina:mina-coreand callIoBuffer.getObject(). - Deployments on any of the affected release lines:
- MINA
2.0.0through2.0.27 - MINA
2.1.0through2.1.10 - MINA
2.2.0through2.2.5
- MINA
What to do now
- Upgrade to the fixed release for your branch:
2.0.28,2.1.11, or2.2.6."Applications using Apache MINA are advised to upgrade."
- Inventory every place MINA appears - build manifests, lockfiles, container images, transitive dependencies - and confirm whether any code path calls
IoBuffer.getObject(). - Treat this like any deserialization-RCE event: identify which endpoints accept attacker-controlled bytes that reach MINA deserialization, and prioritise patch rollout for those services first.
- If you suspect exposure, review inbound traffic logs for anomalous payloads on MINA-served ports and rotate credentials accessible from affected services.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.