hypeorhack
← back

CVE-2026-42779

CRITICAL · 9.8 EPSS 0.1%
hype MIXED · 58 hack

Real vulnerability, vendor patch released, but no KEV, PoC, or exploitation evidence; mostly advisory amplification.

What: Incomplete patch in Apache MINA 2.1.X and 2.2.X branches allows remote code execution via deserialization bypass in AbstractIoBuffer.resolveClass(). CVSS 9.8 CRITICAL.

Why it matters: Prior fix for CVE-2026-41635 omitted from later branches, re-exposing classname allowlist bypass. Applications calling IoBuffer.getObject() are vulnerable. Vendor patched in 2.1.12 and 2.2.7 as of May 1, 2026. No KEV listing yet, no public PoC observed in posts.

Where it's seen: Security feed aggregators posting vendor advisory summary same day as publication. Chatter is alert-style, urging immediate upgrade to patched versions. No researcher PoC or in-the-wild exploitation reports in trending posts.

RISK: CRITICAL — Unpatched deserialization RCE in widely-deployed Apache library; high CVSS; patched versions available.

Generated by claude-haiku-4-5 from public posts and authoritative metadata. AI can make mistakes — verify against vendor advisories before acting. 5/2/2026, 10:14:22 AM

AttackerKB

view on attackerkb.com →

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Public PoCs on GitHub 4 repos

  • nomi-sec/PoC-in-GitHub ★ 7687

    📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

  • dinosn/CVE-2026-42779 ★ 5 · Java

    CVE-2026-42779: Apache MINA AbstractIoBuffer.resolveClass() deserialization filter bypass to RCE (CVSS 9.8)

  • pereirat2/secnews-scraper ★ 1 · Python

    Zero-LLM cybersecurity news pipeline → Telegram digest. Cron-driven, ~30 feeds, severity classified.

  • win3zz/trend-scraper-bot ★ 0

    Automated daily recon for everything new in cybersecurity. Scans 50+ sources every 24 hours.

Articles & coverage 15 articles

  • CVE-2026-42779 - Apache MINA: AbstractIoBuffer.resolveClass() null-clazz Branch Skips acceptMatchers Filter — Full Object Deserialization RCE (take 2)

    ##### CVE-2026-42779. The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The following products are affected by `CVE-2026-42779` vulnerability. Even if `cvefeed.io` is aware of the exact versions of the products that are affected, the information is not represented in the table below. The Common Vulnera

  • CVE-2026-42779 - Exploits & Severity - Feedly

    # CVE-2026-42779. The fix for the original issue (CVE-2026-41635) was not applied to the 2.1.X and 2.2.X branches. Affected versions are Apache MINA 2.1.0 through 2.1.11, and 2.2.0 through 2.2.6. The problem is resolved in Apache MINA 2.1.12 and 2.2.7 by applying the classname allowlist earlier in the resolution process. Applications using Apache MINA are advised to upgrade immediately to version

  • Critical Deserialization RCE in Apache MINA (CVE-2026-42779) – TheHackerWire

    # Critical Deserialization RCE in Apache MINA (CVE-2026-42779). CVE-2026-42779 details a critical deserialization vulnerability in Apache MINA, scoring 9.8 CVSS (Critical). Published on May 1, 2026, this flaw allows for arbitrary code execution by bypassing a classname allowlist. It’s a re-emergence of a previously addressed issue, CVE-2026-41635, where the fix wasn’t correctly applied to specific

  • CVE Explorer – Vulnerability Database | CD

    The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description:\n\n\n\n\n\n\n\n\n\n\n\nApache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\n\n\n\n\nThe fix checks if t

  • CVE-2026-42779 - CVE Record

    Vulnerability detail for CVE-2026-42779. ... Common vulnerabilities and Exposures (CVE). We're sorry but the CVE Website doesn't work properly without

Page 1 of 3
NVD details 1 CWE ·0 vendors · 1 ref expand

Description

The fix for CVE-2026-41635 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed. The fix checks if the class is present in the accepted class filter before calling Class.forName(). Affected versions are Apache MINA 2.1.0 <= 2.1.11, and 2.2.0 <= 2.2.6. The problem is resolved in Apache MINA 2.1.12, and 2.2.7 by applying the classname allowlist earlier. Affected are applications using Apache MINA that call IoBuffer.getObject(). Applications using Apache MINA are advised to upgrade.

Weaknesses

References

Other · 1

Top posts driving the trend