## Critical Deserialization Flaw in Apache MINA Bypasses Security Filter, Affects Multiple Versions
A critical deserialization vulnerability has been identified in Apache MINA's core library, potentially allowing attackers to execute arbitrary code on affected systems. The flaw, tracked as CVE-2026-41635, exists in the AbstractIoBuffer.resolveClass() method, where one execution path fails to validate classes against the established allowlist before instantiation.

The vulnerability stems from a design weakness in how Apache MINA handles object deserialization. When processing serialized data through IoBuffer.getObject(), the resolveClass() method contains two distinct code paths. The first path properly enforces the classname allowlist, while the second—used for static classes or primitive types—performs no class validation whatsoever. This oversight creates a direct route to arbitrary code execution, as attackers can craft malicious serialized payloads that bypass the security filter entirely.

Multiple Apache MINA versions are affected: 2.0.0 through 2.0.27, 2.1.0 through 2.1.10, and 2.2.0 through 2.2.5. The vulnerability has been remediated in versions 2.0.28, 2.1.11, and 2.2.6, where the classname allowlist check is now applied earlier in the deserialization process. Organizations running Apache MINA should immediately assess whether their applications invoke IoBuffer.getObject() with untrusted input and prioritize upgrading to a patched version. The flaw carries a CWE-502 classification, indicating deserialization of untrusted data remains a persistent attack vector in enterprise Java environments.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2026-41635, deserialization, remote-code-execution, apache-mina, CWE-502
- **Credibility**: unverified
- **Published**: 2026-05-07 03:31:42
- **ID**: 80000
- **URL**: https://whisperx.ai/en/intel/80000