Deserialization Flaw in Apache MINA IoBuffer Affects Multiple Versions
CVE-2026-42778

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Mina
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-42778?

A deserialization vulnerability exists in Apache MINA's IoBuffer.getObject() method, where the classname allowlist is applied too late, potentially allowing unauthorized class execution if accessed prematurely. This flaw impacts versions 2.1.0 through 2.1.11 and 2.2.0 through 2.2.6, and has been resolved in Apache MINA version 2.1.12 and 2.2.7 through earlier application of necessary security checks. It is imperative for users of Apache MINA to upgrade their versions to safeguard against potential exploitation.

Affected Version(s)

Apache MINA 2.2.X <= 2.2.6

Apache MINA 2.1.X <= 2.1.11

References

https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Venkatraman Kumar, Securin

CVE-2026-42778 Data

JSON