VDB

CVE-2026-42779

CVE-2026-42779 PUBLISHED CVSS 9.8 CRITICAL

Reported by apache · Published May 1, 2026

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

EPSS 0.07% · 22.5th percentile

Risk Scores

CVSS v3.1
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.07%
22.5th percentile

Affected Products

VendorProductVersions
Apache Software FoundationApache MINA2.2.X, 2.1.X
Apache Software FoundationApache MINA2.1.X, *

Timeline

  • May 1, 2026 CVE Published
  • May 1, 2026 CVE Updated
  • May 8, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
  • May 24, 2026 EPSS Score
  • May 25, 2026 EPSS Score
  • May 26, 2026 EPSS Score

References

  • vendor-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›