CVE-2026-41409

Name of the Vulnerable Software and Affected Versions Apache MINA versions 2.0.0 through 2.0.27 Apache MINA versions 2.1.0 through 2.1.10 Apache MINA versions 2.2.0 through 2.2.5

Description An issue exists in the getObject() function of the AbstractIoBuffer class due to an incomplete deserialization mechanism. The classname allowlist, which restricts which classes can be deserialized, is applied too late, potentially allowing a static initializer in a class to be executed before the check occurs. This flaw allows a remote attacker to execute arbitrary code on applications that call the getObject() function.

Recommendations Update to version 2.0.28 for versions 2.0.0 through 2.0.27. Update to version 2.1.11 for versions 2.1.0 through 2.1.10. Update to version 2.2.6 for versions 2.2.0 through 2.2.5. As a temporary workaround, restrict the use of the getObject() function.