{
  "threat_severity" : "Critical",
  "public_date" : "2026-04-27T09:20:12Z",
  "bugzilla" : {
    "description" : "Apache MINA: Apache MINA: Arbitrary code execution via incomplete deserialization fix",
    "id" : "2463175",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463175"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "draft"
  },
  "cwe" : "CWE-502",
  "details" : [ "A flaw was found in Apache MINA. An incomplete fix for a deserialization vulnerability in the `AbstractIoBuffer.getObject()` method allowed a static initializer in a class to be executed before the classname allowlist was applied. This could enable a remote attacker to execute arbitrary code by sending specially crafted data to an application using Apache MINA that calls `IoBuffer.getObject()`." ],
  "statement" : "This is a Critical deserialization flaw in Apache MINA, allowing remote attackers to execute arbitrary code. It addresses an incomplete fix for CVE-2024-52046 which could bypass security controls. Red Hat products are affected if they utilize Apache MINA and invoke the `IoBuffer.getObject()` method.",
  "package_state" : [ {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Under investigation",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Under investigation",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Under investigation",
    "package_name" : "ocp-tools-4/jenkins-rhel8",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Under investigation",
    "package_name" : "ocp-tools-4/jenkins-rhel9",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat build of Apache Camel for Spring Boot 4",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:camel_spring_boot:4"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Under investigation",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "javapackages-tools:201801/maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "maven:3.9/maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Under investigation",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41409\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41409\nhttps://lists.apache.org/thread/9ddvsq6c4l5bhwq8l14sob4f8qjvx5c9" ],
  "name" : "CVE-2026-41409",
  "csaw" : false
}