VDB

CVE-2026-41409

CVE-2026-41409 PUBLISHED CVSS 9.8 CRITICAL

Reported by apache · Published April 27, 2026

The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

EPSS 0.28% · 51.4th percentile

Risk Scores

CVSS v3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.28%
51.4th percentile

Affected Products

VendorProductVersions
Apache Software FoundationApache MINA2.2.0, 2.1.0, 2.0.0
Apache Software FoundationApache MINA2.2.0, 2.1.0, 2.0.0

Timeline

  • Apr 27, 2026 CVE Published
  • May 5, 2026 CVE Updated
  • May 6, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

  • vendor-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›