SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2026-41409
    ▲ CriticalCVSS 9.8EPSS 0.00451%

    Apache MINA readClassDescriptor() Executes Class Static Initializers Before Class Filter

    The fix for CVE-2024-52046 in Apache MINA AbstractIoBuffer.getObject() was incomplete. The classname allowlist was applied too late - after a static initializer in the class being deserialized may have already executed - allowing unauthenticated RCE by bypassing the incomplete filter.

    CVE IDCVE-2026-41409
    CVSS v3.19.8 Critical
    VendorApache
    CWECWE-502: Deserialization of Untrusted Data
    DisclosedApr 27, 2026
    StatusPublished
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Vulnerable Code
    • 04Trigger Conditions
    • 05Impact
    • 06Remediation
    • 07Timeline
    • 08References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    The fix for CVE-2024-52046 in Apache MINA's AbstractIoBuffer.getObject() applied the classname allowlist too late in readClassDescriptor(). When a class is resolved during deserialization, its static initializer executes as part of Class.forName() before the allowlist check can reject the class. An attacker can craft a serialized payload whose class has a malicious static initializer that achieves code execution before the filter fires.

    Vendor
    Apache
    Product
    Apache Mina
    Severity
    Critical
    CVSS Score
    9.8
    Status
    Published
    CWE
    CWE-502: Deserialization of Untrusted Data
    Vector
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    9.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    ScopeUnchanged
    ImpactC:H / I:H / A:H
    SeverityCritical
    PoC · Exploitation Steps▲ trigger
    01No public PoC available
    03/Vulnerable Code

    The bug, and the fix.

    AbstractIoBuffer.java: readClassDescriptor() calls Class.forName(className) which triggers static initializer execution, then checks allowlist - but by then the static initializer has already run

    Root cause: Incomplete fix for CVE-2024-52046: class allowlist filter applied after Class.forName() (which triggers static initializer), not before it

    04/Trigger Conditions

    When does this fire?

    All conditions must be true for the exploit to succeed.

    Unauthenticated attacker sends a crafted serialized Java payload to a MINA-based network endpoint; the payload includes a class with a malicious static initializer that executes before the allowlist filter rejects the class

    05/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Arbitrary code execution on MINA-based application host; full system compromise; all deserialization protection effectively bypassed

    06/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6. The fix moves the allowlist check before Class.forName() to prevent static initializer execution of disallowed classes.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2026-41409, contact disclose@securin.io
    07/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Vendor notified

    2026-04-27: CVE published | 2026-04-27: Fix released in MINA 2.0.28, 2.1.11, 2.2.6

    Timeline recorded · Disclosure coordinated by Securin

    08/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2026-41409

    nvd.nist.gov/vuln/detail/CVE-2026-41409 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →
    APACHE

    https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9

    https://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9 →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum