Ddos 
The Apache MINA project has issued a high-priority security release to address two critical vulnerabilities that were mistakenly left unpatched in previous versions. Apache MINA 2.2.7 and 2.1.12 arrive as emergency corrections for flaws that carry a CVSS score of 9.8, potentially allowing unauthenticated Remote Code Execution (RCE).
Apache MINA is a widely used Java-based network application framework designed for high-performance systems operating over TCP/IP and UDP/IP. The failure of previous patches to make it into the 2.1.X and 2.2.X branches has left a significant number of enterprise applications exposed to object deserialization attacks.
CVE-2026-42778 is the result of an incomplete fix for a long-standing issue. In versions of MINA calling IoBuffer.getObject(), the mechanism intended to protect the system—a classname allowlist—was applied too late in the process.
Technically, a malicious class could be read, and its static initializer could be executed before the allowlist ever had a chance to block it. By the time the framework realized the class was unauthorized, the damage (code execution) could already be done.
The second flaw, tracked as CVE-2026-42779 (CVSS 9.8), involves a logic error in AbstractIoBuffer.resolveClass(). The method contained two separate processing branches, and researchers discovered that one of them—specifically for static classes or primitive types—skipped the security filters entirely.
By exploiting this “null-clazz” branch, an attacker could bypass the acceptMatchers filter to perform full object deserialization RCE. This effectively allows an external client to force the server to execute arbitrary Java classes sent over the network.
The Apache MINA team has clarified that these fixes were intended for the previous release cycle but were omitted due to a clerical mistake. Because these vulnerabilities affect any application using AbstractIoBuffer.getObject() to process client-supplied Java classes, the risk to production environments is extreme.
Impacted Versions:
- Apache MINA 2.1.0 through 2.1.11
- Apache MINA 2.2.0 through 2.2.6
Uses shoud upgrade immediately to Apache MINA 2.1.12 or Apache MINA 2.2.7.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
