Home / Vulnerability Intelligence / CVE-2026-41409

CVE-2026-41409 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 27, 2026

Apache MINA - Insecure Deserialization

Published: April 27, 2026Updated: April 27, 2026Remote Exploitable

Overview

Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5 contain an insecure deserialization caused by late application of classname allowlist in AbstractIoBuffer.getObject(), letting attackers execute malicious deserialization, exploit requires use of IoBuffer.getObject().

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 14.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code via crafted deserialization, potentially leading to full system compromise.

Mitigation

Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6 or later.

References

https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

May 1, 2026

🔴 CVE-2026-42778 - Critical (9.8) The fix for CVE-2026-41409 was not applied to the 2.1.X and 2.2.X branches. Here was the original issue description: The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist of classes allo... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-42778/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-41409
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: unconfirmed
EPSS: 14.0%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

14.0%Probability of exploitation in the next 30 days