Warning: Critical arbitrary code execution vulnerability in Apache MINA, Patch Immediately!

• Last update: 27/04/2026
• Affected software: Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5
• Type: Remote code execution
• CVE/CVSS
  → CVE-2026-41635: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

Apache ZDRES-059 - https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm

Risks

Applications that use a vulnerable instance of Apache MINA are affected when calling the IoBuffer.getObject() function. Attackers will target these systems to gain arbitrary code execution on applications utilizing Apache MINA. This vulnerability requires low privileges and is remotely exploitable. Fully compromised systems can be used to exfiltrate data or attack other interconnected systems. A full compromise can have a high impact on the confidentiality, integrity and availability of the system.

Description

CVE-2026-41635 is an arbitrary code execution vulnerability in Apache MINA. The AbstractIoBuffer.resolveClass() method contains two branches, where one of them performs no class validation, bypassing the classname allowlist entirely. This results in arbitrary code execution. Systems affected are applications using Apache MINA that call the IoBuffer.getObject() method.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

NIST NVD - https://nvd.nist.gov/vuln/detail/CVE-2026-41635