CVE-2026-42779

Name of the Vulnerable Software and Affected Versions Apache MINA versions 2.1.0 through 2.1.11 Apache MINA versions 2.2.0 through 2.2.6

Description Apache MINA contains a flaw in the resolveClass() function of AbstractIoBuffer where one of the execution branches, specifically for primitive types or static classes, fails to validate the class against the classname allowlist. This bypass occurs during object deserialization when IoBuffer.getObject() is called, potentially allowing remote code execution on the server without authentication.

Recommendations Upgrade to version 2.1.12 for the 2.1.X branch. Upgrade to version 2.2.7 for the 2.2.X branch.