Primary

Context

Apache MINA Full Object Deserialization Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability has been identified in Apache MINA versions 2.1.0 prior to 2.1.11 and 2.2.0 prior to 2.2.6. The issue arises in the AbstractIoBuffer.resolveClass() method, where the null-clazz branch for static classes or primitive types bypasses the classname allowlist, allowing arbitrary code execution. This vulnerability affects applications using Apache MINA that call IoBuffer.getObject() for deserializing Java classes from clients.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected Apache MINA version is used.

Remediation

Users are advised to upgrade to Apache MINA versions 2.1.12 or 2.2.7, where this vulnerability has been fixed. The release notes for these versions are available on the Apache MINA website, and the downloads can be accessed from the Apache MINA download pages for versions 2.1 and 2.2.

Added: May 1, 2026, 11:18 AM

Updated: May 1, 2026, 11:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.8

remediation

7.7

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

7.5

exploitability

6.8

remediation

7.7

relevance

7.2

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache MINA Full Object Deserialization Remote Code Execution Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache MINA

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating