Primary

Context

Apache MINA AbstractIoBuffer Class Resolution Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A remote code execution vulnerability exists in Apache MINA's AbstractIoBuffer.resolveClass() method. This issue arises in versions 2.0.0 prior to 2.0.27, 2.1.0 prior to 2.1.10, and 2.2.0 prior to 2.2.5. The vulnerability is triggered when the method processes static classes or primitive types, as it bypasses the classname allowlist, allowing arbitrary code execution. The flaw affects applications that use Apache MINA and call IoBuffer.getObject().

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected Apache MINA application is running.

Remediation

Users are advised to upgrade to Apache MINA versions 2.0.28, 2.1.11, or 2.2.6, where this vulnerability has been addressed by applying the classname allowlist check earlier in the process.

Added: Apr 27, 2026, 9:34 AM

Updated: Apr 27, 2026, 9:34 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.8

remediation

7.7

relevance

6.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.8

remediation

7.7

relevance

6.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache MINA AbstractIoBuffer Class Resolution Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

Apache MINA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating