Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-41635EXPLOITEDPATCHED

apache software foundation · apache mina

Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE

Description

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Affected Products

Vendor	Product	Versions
apache software foundation	apache mina	2.2.0, 2.1.0, 2.0.0

References

https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm(vendor-advisory)

Related News (2 articles)

Tier C

oss-security6h ago

ZDRES-059: CVE-2026-41635: Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE

→ No new info (linked only)

Tier C

VulDB12h ago

CVE-2026-41635 | Apache MINA up to 2.0.27/2.1.10/2.2.5 acceptMatchers Filter AbstractIoBuffer.resolveClass deserialization

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm

CWECWE-502

PublishedApr 27, 2026

Last enriched6h agov3

Tags

CVE-2026-41635

Trending Score74

Source articles2

Independent2

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-41409

Apache MINA: CWE-502 Deserialization of Untrusted Data

CRITICALCVE-2026-40860

Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp

CRITICALCVE-2026-33454

Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)

MEDIUMCVE-2026-38743

Apache Airflow: Dags endpoint might provide access to otherwise inaccessible entities

CRITICALCVE-2026-40453

Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 27, 2026

Discovered by ZDM

Apr 27, 2026

Updated: description, activelyExploited

Apr 27, 2026

Updated: affectedVersions, severity, exploitAvailable, tags

Apr 27, 2026

Actively Exploited

Apr 27, 2026

Exploit Available

Apr 27, 2026

Patch Available

Apr 27, 2026

Version History

v3

Last enriched 6h ago

v3Tier C6h ago

Updated affected versions, changed severity to HIGH, marked exploit as available, and added CVE tag.

affectedVersionsseverityexploitAvailabletags

via oss-security

v2Tier C11h ago

Updated description with new details about the vulnerability and changed exploit availability to false.

descriptionactivelyExploited

via VulDB

v112h ago

Initial creation