What this actually is.
Technical background, root cause, and affected surface.
The fix for CVE-2024-52046 in Apache MINA's AbstractIoBuffer.getObject() applied the classname allowlist too late in readClassDescriptor(). When a class is resolved during deserialization, its static initializer executes as part of Class.forName() before the allowlist check can reject the class. An attacker can craft a serialized payload whose class has a malicious static initializer that achieves code execution before the filter fires.
- Vendor
- Apache
- Product
- Apache Mina
- Severity
- Critical
- CVSS Score
- 9.8
- Status
- Published
- CWE
- CWE-502: Deserialization of Untrusted Data
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
AbstractIoBuffer.java: readClassDescriptor() calls Class.forName(className) which triggers static initializer execution, then checks allowlist - but by then the static initializer has already run
Root cause: Incomplete fix for CVE-2024-52046: class allowlist filter applied after Class.forName() (which triggers static initializer), not before it
When does this fire?
All conditions must be true for the exploit to succeed.
Unauthenticated attacker sends a crafted serialized Java payload to a MINA-based network endpoint; the payload includes a class with a malicious static initializer that executes before the allowlist filter rejects the class
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary code execution on MINA-based application host; full system compromise; all deserialization protection effectively bypassed
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6. The fix moves the allowlist check before Class.forName() to prevent static initializer execution of disallowed classes.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-04-27: CVE published | 2026-04-27: Fix released in MINA 2.0.28, 2.1.11, 2.2.6
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.