Bug#1135167: mina2: CVE-2026-41635
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 28 16:29:07 BST 2026
Source: mina2
Version: 2.2.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for mina2.
CVE-2026-41635[0]:
| Apache MINA's AbstractIoBuffer.resolveClass() contains two branches,
| one of them (for static classes or primitive types) does not check
| the class at all, bypassing the classname allowlist and allowing
| arbitrary code to be executed. The fix checks if the class is
| present in the accepted class filter before
| calling Class.forName(). Affected versions are Apache MINA
| 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and 2.2.0 <= 2.2.5. The
| problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by
| applying the classname allowlist earlier. Affected are
| applications using Apache MINA that call IoBuffer.getObject().
| Applications using Apache MINA are advised to upgrade.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41635
https://www.cve.org/CVERecord?id=CVE-2026-41635
[1] https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list