What this actually is.
Technical background, root cause, and affected surface.
Apache MINA's AbstractIoBuffer.resolveClass() method has two code branches. One branch handles the case where clazz is null (for static classes or primitive types) and calls Class.forName() directly without checking against the acceptMatchers allowlist. This allows an attacker to craft a serialized payload that resolves through the null-clazz branch, completely bypassing all deserialization protection and deserializing arbitrary classes.
- Vendor
- Apache
- Product
- Apache Mina
- Severity
- Critical
- CVSS Score
- 9.8
- Status
- Published
- CWE
- CWE-502: Deserialization of Untrusted Data
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
AbstractIoBuffer.java: resolveClass() - if (clazz == null) { return Class.forName(desc.getName()); } // No acceptMatchers check; filter only applied in non-null clazz branch
Root cause: Incomplete filter coverage in resolveClass(): null-clazz branch does not invoke acceptMatchers check, allowing filter bypass for static class and primitive type descriptors
When does this fire?
All conditions must be true for the exploit to succeed.
Unauthenticated attacker sends a crafted serialized payload to a MINA network endpoint containing a class descriptor for a static class or primitive type, causing resolveClass() to take the unfiltered null-clazz branch and deserialize an arbitrary gadget chain class
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary code execution on the MINA-based application host; complete bypass of all deserialization class filtering; full system compromise
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Apache MINA 2.0.28, 2.1.11, or 2.2.6. The fix adds the acceptMatchers filter check to the null-clazz branch in resolveClass() before calling Class.forName().
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-04-27: CVE published | 2026-04-27: Fix released in MINA 2.0.28, 2.1.11, 2.2.6
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.