Vulnerability-Lookup

CNVD-2026-20429

Vulnerability from cnvd - Published: 2026-05-18

Title

Apache MINA代码问题漏洞

Description

Apache MINA是一款网络应用框架，用于构建高性能网络服务。 Apache MINA存在安全漏洞。该漏洞产生的原因是AbstractIoBuffer.resolveClass对静态类或基元类型分支未执行类过滤检查。攻击者可利用该漏洞绕过反序列化allowlist并触发非预期类加载。

Severity

高

Patch Name

Apache MINA代码问题漏洞的补丁

Patch Description

Apache MINA是一款网络应用框架，用于构建高性能网络服务。 Apache MINA存在安全漏洞。该漏洞产生的原因是AbstractIoBuffer.resolveClass对静态类或基元类型分支未执行类过滤检查。攻击者可利用该漏洞绕过反序列化allowlist并触发非预期类加载。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0

Reference

https://nvd.nist.gov/vuln/detail/CVE-2026-42779

Impacted products

Name
['Apache Apache MINA >=2.1.0，<=2.1.11', 'Apache Apache MINA >=2.2.0，<=2.2.6']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2026-42779",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2026-42779"
    }
  },
  "description": "Apache MINA\u662f\u4e00\u6b3e\u7f51\u7edc\u5e94\u7528\u6846\u67b6\uff0c\u7528\u4e8e\u6784\u5efa\u9ad8\u6027\u80fd\u7f51\u7edc\u670d\u52a1\u3002\n\nApache MINA\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u4ea7\u751f\u7684\u539f\u56e0\u662fAbstractIoBuffer.resolveClass\u5bf9\u9759\u6001\u7c7b\u6216\u57fa\u5143\u7c7b\u578b\u5206\u652f\u672a\u6267\u884c\u7c7b\u8fc7\u6ee4\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u53cd\u5e8f\u5217\u5316allowlist\u5e76\u89e6\u53d1\u975e\u9884\u671f\u7c7b\u52a0\u8f7d\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-20429",
  "openTime": "2026-05-18",
  "patchDescription": "Apache MINA\u662f\u4e00\u6b3e\u7f51\u7edc\u5e94\u7528\u6846\u67b6\uff0c\u7528\u4e8e\u6784\u5efa\u9ad8\u6027\u80fd\u7f51\u7edc\u670d\u52a1\u3002\r\n\r\nApache MINA\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u4ea7\u751f\u7684\u539f\u56e0\u662fAbstractIoBuffer.resolveClass\u5bf9\u9759\u6001\u7c7b\u6216\u57fa\u5143\u7c7b\u578b\u5206\u652f\u672a\u6267\u884c\u7c7b\u8fc7\u6ee4\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u53cd\u5e8f\u5217\u5316allowlist\u5e76\u89e6\u53d1\u975e\u9884\u671f\u7c7b\u52a0\u8f7d\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache MINA\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Apache MINA \u003e=2.1.0\uff0c\u003c=2.1.11",
      "Apache Apache MINA \u003e=2.2.0\uff0c\u003c=2.2.6"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2026-42779",
  "serverity": "\u9ad8",
  "submitTime": "2026-05-06",
  "title": "Apache MINA\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2026-42779 (GCVE-0-2026-42779)

Vulnerability from cvelistv5 – Published: 2026-05-01 10:00 – Updated: 2026-05-02 03:55

Title

Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)

Summary

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Severity

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

apache

References

1 reference

URL	Tags
https://lists.apache.org/thread/fhlx5k91hrkgyzh7y…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache MINA	Affected: 2.2.X , ≤ 2.2.6 (semver) Affected: 2.1.X , ≤ 2.1.11 (semver)

Credits

Venkatraman Kumar, Securin

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42779",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-01T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-02T03:55:25.715Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.mina:mina-core",
          "product": "Apache MINA",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.2.6",
              "status": "affected",
              "version": "2.2.X",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.1.11",
              "status": "affected",
              "version": "2.1.X",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Venkatraman Kumar, Securin"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cdiv\u003eThe fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\u003c/div\u003e\u003cdiv\u003e\u003cdiv\u003e\u003c/div\u003e\u003c/div\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eApache \u003cb\u003eMINA\u003c/b\u003e\u0027s \u003ci\u003eAbstractIoBuffer.resolveClass()\u003c/i\u003e contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003eThe fix checks if the class is present in the accepted class filter \u003cb\u003ebefore\u003c/b\u003e calling \u003ci\u003eClass.forName()\u003c/i\u003e. \u003c/div\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e\u003cdiv\u003e\u003c/div\u003eAffected versions are Apache MINA 2.1.0 \u0026lt;= 2.1.11, and 2.2.0 \u0026lt;= 2.2.6.\n\u003cbr\u003e\n\n\u003cbr\u003e\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\u003cbr\u003e\n\n\u003cbr\u003e\nAffected are applications using Apache MINA that call  IoBuffer.getObject().\n\u003cbr\u003e\n\n\u003cbr\u003e\nApplications using Apache MINA are advised to upgrade."
            }
          ],
          "value": "The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\n\n\n\n\n\n\n\nApache MINA\u0027s AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if the class is present in the accepted class filter before calling Class.forName(). \n\n\n\n\n\n\nAffected versions are Apache MINA 2.1.0 \u003c= 2.1.11, and 2.2.0 \u003c= 2.2.6.\n\n\n\n\n\nThe problem is resolved in Apache MINA 2.1.12, and 2.2.7 by \napplying the classname allowlist earlier.\n\n\n\n\n\nAffected are applications using Apache MINA that call  IoBuffer.getObject().\n\n\n\n\n\nApplications using Apache MINA are advised to upgrade."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-01T10:00:43.712Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/fhlx5k91hrkgyzh7yk1nghrn3k27gxy0"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter \u2014 Full Object Deserialization RCE (take 2)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-42779",
    "datePublished": "2026-05-01T10:00:43.712Z",
    "dateReserved": "2026-04-29T13:32:57.549Z",
    "dateUpdated": "2026-05-02T03:55:25.715Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-20429

CVE-2026-42779 (GCVE-0-2026-42779)

Tags

Sightings

Nomenclature