Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-41409PATCHED

apache software foundation · apache mina

Apache MINA: CWE-502 Deserialization of Untrusted Data

Description

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

Affected Products

Vendor	Product	Versions
apache software foundation	apache mina	2.2.0, 2.1.0, 2.0.0

References

https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9(vendor-advisory)

Related News (1 articles)

Tier C

oss-security8h ago

CVE-2026-41409: Apache MINA: CWE-502 Deserialization of Untrusted Data

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9

CWECWE-502

PublishedApr 27, 2026

Trending Score44

Source articles1

Independent1

Info Completeness0/14

Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-41635EXP

Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE

CRITICALCVE-2026-40860

Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

CRITICALCVE-2026-33454

Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)

MEDIUMCVE-2026-38743

Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

CRITICALCVE-2026-40453

Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 27, 2026

Discovered by ZDM

Apr 27, 2026

Patch Available

Apr 27, 2026