VYPR
Critical severity9.8NVD Advisory· Published Apr 27, 2026· Updated Apr 29, 2026

CVE-2026-41635

CVE-2026-41635

Description

Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.

The fix checks if the class is present in the accepted class filter before calling Class.forName().

Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and

2.2.0 <= 2.2.5.

The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.

Affected are applications using Apache MINA that call  IoBuffer.getObject().

Applications using Apache MINA are advised to upgrade.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.mina:mina-coreMaven
>= 2.0.0, < 2.0.282.0.28
org.apache.mina:mina-coreMaven
>= 2.1.0, < 2.1.112.1.11
org.apache.mina:mina-coreMaven
>= 2.2.0, < 2.2.62.2.6

Affected products

14

Patches

Vulnerability mechanics

References

4

News mentions

1