Apache MINA allowlist bypass opens unauthenticated deserialization RCE

TL;DR - AbstractIoBuffer.resolveClass() has a branch that silently skips the accepted-class filter. Any attacker who can feed serialized data to a server calling IoBuffer.getObject() can reach arbitrary Java deserialization and execute code remotely.

What happened

Apache MINA is a Java network application framework used to build custom protocol servers. Applications that accept client-supplied binary data sometimes call IoBuffer.getObject() to deserialize incoming Java objects - which is exactly where this breaks down.

CVE-2026-42779 is an allowlist bypass in AbstractIoBuffer.resolveClass(). The method has two branches: one for standard dynamically resolved classes, and one for static classes or primitive types. The second branch skips the configured accepted-class filter entirely. An attacker who can supply a crafted serialized payload to any server that calls IoBuffer.getObject() can exploit this to achieve unauthenticated remote code execution.

This is explicitly a "take 2" patch. The CVE record notes that the fix for the earlier CVE-2026-41635 was never applied to the 2.1.x and 2.2.x release branches. If your team upgraded in response to that prior advisory and stayed on either of those lines, you may still be exposed.

Who is impacted

• Applications using Apache MINA that call IoBuffer.getObject() to deserialize client-supplied data.
• Unauthenticated network access is enough - no credentials needed.

What to do now

• Upgrade. Apply 2.1.12 if you're on the 2.1.x line, or 2.2.7 if you're on 2.2.x.

  "Applications using Apache MINA are advised to upgrade."

• Audit your dependency tree. Search for org.apache.mina:mina-core in direct and transitive dependencies, including shaded JARs. Don't assume your build tool surface is complete.
• Find every call site for IoBuffer.getObject(). If your code or any library you include calls this method on client-supplied data, treat it as high-risk until you've confirmed you're on a patched version and have redeployed.
• If compromise is suspected, scope inbound traffic for serialized object payloads targeting MINA-backed services and rotate any credentials accessible to those processes.