MINA unauthenticated RCE via bad fix (CVE-2026-42779) [PoC]

Patch now - CVE-2026-42779 is a critical deserialization bypass in Apache MINA 2.1.0-2.1.11 and 2.2.0-2.2.6 that grants unauthenticated remote code execution. Patched in 2.1.12 and 2.2.7 - update immediately.

Overview

CVE-2026-42779 is a bypass of an earlier RCE fix (CVE-2026-41635) in Apache MINA. The original vulnerability allowed arbitrary code execution via a deserialization attack by bypassing the classname allowlist in the AbstractIoBuffer.resolveClass() method. The patch for CVE-2026-41635 was intended to enforce the allowlist before calling Class.forName(), but it was only applied to the 2.0.X branch. The 2.1.X and 2.2.X branches remained vulnerable, meaning an attacker could still deserialize arbitrary classes and execute code.

This vulnerability affects applications that call IoBuffer.getObject() to deserialize data from untrusted network sources. Apache MINA is a network application framework used to develop high-performance and scalable network applications. Any service built on MINA that receives serialized objects across the network is at risk.

The vulnerability carries a CVSS score of 9.8 (Critical) due to its network-based attack vector, low attack complexity, and lack of required authentication or user interaction. An attacker only needs to send a specially crafted serialized object to the affected service to achieve full remote code execution.

While there is no evidence of active exploitation in the wild currently (CISA KEV: No, EPSS: 0.0%), the severity of the impact and the fact that it represents an incomplete fix make timely patching essential.

Impact on affected systems

• Unauthenticated remote code execution as the application user
• Complete compromise of confidentiality, integrity, and availability
• Potential lateral movement within the network

Affected versions

• Apache MINA 2.1.0 through 2.1.11
• Apache MINA 2.2.0 through 2.2.6

Remediation

Action required: Upgrade to a patched version immediately.

• Upgrade to Apache MINA 2.1.12 or 2.2.7
• These versions apply the classname allowlist check earlier in the deserialization process, preventing the bypass

If upgrading is not possible immediately, applications should restrict network access to services using IoBuffer.getObject() to trusted networks only. Organizations should also review their network segmentation to limit the impact of a potential compromise. For context, similar deserialization vulnerabilities have been a recurring issue across Java frameworks, as highlighted by the Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalog, emphasizing the importance of thorough patch validation across all supported branches.

Security Insight

CVE-2026-42779 highlights a common risk in open-source project maintenance: incomplete patch propagation across version branches. When a fix is developed for one branch (2.0.X in this case) but not consistently applied to others, downstream users who have upgraded to newer branches may remain vulnerable while believing they are safe. This incident also underscores that deserialization vulnerabilities continue to be a persistent weakness in Java frameworks, as seen with the ActiveMQ RCE vulnerability and others. Organizations using Apache MINA should verify their patching process includes cross-branch validation to avoid this class of incomplete-fix attacks.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs