CVE-2026-41409
ADVISORY - githubSummary
The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allowed to be deserialized was applied too late after a static initializer in a class to be read might already have been executed.
Affected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5.
The problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by applying the classname allowlist earlier.
Affected are applications using Apache MINA that call IoBuffer.getObject().
Applications using Apache MINA are advised to upgrade
EPSS Score: 0.00184 (0.397)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Deserialization of Untrusted Data
ADVISORY - github
Deserialization of Untrusted Data
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-41409
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
9.8criticalGitHub
CREATED
UPDATED
ADVISORY IDGHSA-f2wh-grmh-r6jm
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
9.8criticalDebian
CREATED
UPDATED
ADVISORY IDCVE-2026-41409
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/AlowUbuntu
CREATED
UPDATED
ADVISORY IDCVE-2026-41409
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
N/Amediumminimos
CREATED
UPDATED
ADVISORY ID
MINI-cqqw-ww3x-8h3h
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-f34m-3qh3-9r5m
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-hr83-c37c-wf97
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-x6r2-wqrw-qvw3
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-