SB20260428219 - Multiple vulnerabilities in Apache MINA

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260428219

SB20260428219 - Multiple vulnerabilities in Apache MINA

Published: April 28, 2026

Security Bulletin ID SB20260428219
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2026-41635)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper access control in AbstractIoBuffer.resolveClass() when deserializing objects via IoBuffer.getObject(). A remote attacker can send a specially crafted serialized object to execute arbitrary code.

The issue affects the branch for static classes or primitive types, which bypasses the classname allowlist.


2) Deserialization of Untrusted Data (CVE-ID: CVE-2026-41409)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to deserialization of untrusted data in AbstractIoBuffer.getObject() when deserializing untrusted objects. A remote attacker can supply a crafted serialized object to execute arbitrary code.

Only applications that call IoBuffer.getObject() are affected.


Remediation

Install update from vendor's website.

References