Introduction
A deserialization allowlist bypass in Apache MINA's core buffer handling allows unauthenticated attackers to achieve remote code execution by loading arbitrary Java classes through an unguarded code path. With a CVSS score of 9.8 and the vulnerability spanning three major release lines of a foundational Java networking framework, this is a finding that warrants immediate attention from any team running applications built on MINA.
Apache MINA is a network application framework that provides an abstract, event driven, asynchronous API over various transports via Java NIO. It is widely used to build high performance and highly scalable network applications, and serves as a foundational socket library underpinning numerous downstream projects. Vulnerabilities in its core components can therefore have a cascading impact across the broader Java ecosystem.
Technical Information
The vulnerability resides in the AbstractIoBuffer.resolveClass() method within the Apache MINA core library. This method is invoked during Java object deserialization and is responsible for resolving class names to their corresponding Class objects. The method contains two execution branches: one for general classes and one specifically for static classes or primitive types.
The critical flaw is that the branch handling static classes or primitive types completely skips the accepted class filter check. When an attacker crafts a serialized object that triggers this specific branch, the method proceeds directly to calling Class.forName() without any validation against the configured allowlist. This effectively nullifies the security control that was put in place to restrict which classes can be deserialized.
Attack Flow
The exploitation path follows a clear sequence:
-
An application built on Apache MINA uses the
ObjectSerializationDecoderto handle incoming network data. This decoder is a protocol decoder that deserializes Java objects from the network stream. -
The
ObjectSerializationDecoderinternally callsIoBuffer.getObject(ClassLoader)to read a Java object from the buffer. -
During deserialization,
AbstractIoBuffer.resolveClass()is invoked to resolve class names found in the serialized data. -
The attacker crafts a malicious serialized payload that causes the resolution to take the branch for static classes or primitive types.
-
Because this branch does not check the class against the
acceptMatchersfilter, the attacker's arbitrary class is loaded viaClass.forName()without restriction. -
Through well known Java deserialization gadget chains, this unrestricted class loading leads to arbitrary code execution on the target system.
The CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H reflects the severity: the attack is network accessible, requires no privileges or user interaction, and has low complexity. All three impact dimensions (confidentiality, integrity, availability) are rated high.
The Fix
The resolution applied in versions 2.0.28, 2.1.11, and 2.2.6 moves the classname allowlist check earlier in the execution flow. The patched code verifies that the class is present in the accepted class filter before calling Class.forName(), ensuring that both branches of resolveClass() are subject to the same filtering logic.
Affected Systems and Versions
The vulnerability affects three major release lines of the Apache MINA core library:
| Product Component | Affected Versions | Fixed Version |
|---|---|---|
| Apache MINA (mina core) | 2.0.0 through 2.0.27 | 2.0.28 |
| Apache MINA (mina core) | 2.1.0 through 2.1.10 | 2.1.11 |
| Apache MINA (mina core) | 2.2.0 through 2.2.5 | 2.2.6 |
Specifically affected are applications that call IoBuffer.getObject() or use the ObjectSerializationDecoder class for deserializing Java objects from network streams. Applications that do not use these serialization components are not directly exposed.
Vendor Security History
This is not the first deserialization related vulnerability in Apache MINA. CVE-2024-52046 was a prior remote code execution vulnerability that also involved the ObjectSerializationDecoder, stemming from a lack of necessary security checks during Java native deserialization. That earlier vulnerability led to the introduction of the accept method based allowlist mechanism on the ObjectSerializationDecoder.
The recurrence of a deserialization bypass in the same component area highlights the inherent difficulty of securing Java object deserialization. Even after implementing an allowlist, the presence of an unguarded code branch in resolveClass() created a complete bypass. This pattern underscores the importance of defense in depth: relying on a single filtering checkpoint for deserialization safety remains fragile, particularly when the underlying resolution logic has multiple execution paths.
The Apache Software Foundation responded promptly to this disclosure. The vulnerability was reported on April 17, 2026, by Venkatraman Kumar from Securin, and the advisory along with patched releases was published on April 27, 2026.
References
- Apache MINA Advisory: CVE-2026-41635 (Apache Mailing List)
- CVE Record: CVE-2026-41635
- Apache MINA Project Homepage
- IoBuffer API Documentation (Apache MINA 2.0.26)
- ObjectSerializationDecoder API Documentation (Apache MINA 2.0.26)
- CVE-2024-52046 Detail (NVD)
- GitHub Advisory: Apache MINA Deserialization RCE Vulnerability (CVE-2024-52046)
