PT-2026-36315 · Apache · Apache Mina

Published

2026-05-01

Updated

2026-06-13

CVE-2026-42779

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Apache MINA versions 2.1.0 through 2.1.11 Apache MINA versions 2.2.0 through 2.2.6

Description An insecure deserialization issue exists in the network application framework where the resolveClass() function within AbstractIoBuffer contains a logic branch for static classes or primitive types that fails to validate the class against the classname allowlist. This bypass allows an unauthenticated remote attacker to execute arbitrary code on the server when the application calls the getObject() function of IoBuffer. Deserialization is the process of converting a stream of bytes back into an object.

Recommendations Upgrade Apache MINA versions 2.1.0 through 2.1.11 to version 2.1.12. Upgrade Apache MINA versions 2.2.0 through 2.2.6 to version 2.2.7.

Exploit

Fix

RCE

LPE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2026-06348

CLEANSTART-2026-DD05788

CLEANSTART-2026-LE11246

CLEANSTART-2026-LO22603

CLEANSTART-2026-RN56220

CVE-2026-42779

GHSA-VF5J-865M-MQ7C

OESA-2026-2241

OESA-2026-2242

OESA-2026-2243

OESA-2026-2244

OESA-2026-2245

Affected Products

Apache Mina

PT-2026-36315 · Apache · Apache Mina

CVE-2026-42779

Weakness Enumeration

Related Identifiers

Affected Products

References · 295