Vulnerability Overview
Apache MINA, a widely used network application framework for building scalable server applications, has released emergency patches for two critical remote code execution vulnerabilities. The flaws, tracked as CVE-2026-42778 and CVE-2026-42779, allow attackers to execute arbitrary code on systems that deserialize untrusted data using the framework’s AbstractIoBuffer.getObject() method. The issue stems from insecure deserialization processes where malicious payloads can be embedded in network data streams.
Affected Systems and Fix
The vulnerabilities only impact applications that specifically call the AbstractIoBuffer.getObject() method to deserialize Java objects from network clients. A previous patch attempt failed due to a repository management error, leaving the fixes unmerged in two release branches. The Apache MINA team has now corrected this and released patched versions 2.2.7 and 2.1.12. CVE-2026-42778 addresses untrusted data deserialization (CWE-502), while CVE-2026-42779 fixes a remote code execution bug in the AbstractIoBuffer.resolveClass() method. Developers should review their codebases immediately and upgrade to the patched versions.
Source: Cybersecuritynews
