{ "threat_severity" : "Low", "public_date" : "2026-04-27T08:59:50Z", "bugzilla" : { "description" : "Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass", "id" : "2463177", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463177" }, "cvss3" : { "cvss3_base_score" : "9.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "draft" }, "cwe" : "CWE-502", "details" : [ "A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the `AbstractIoBuffer.resolveClass()` method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing an attacker to execute arbitrary code on systems running applications that use Apache MINA and call `IoBuffer.getObject()`. This could lead to a complete compromise of the affected system." ], "statement" : "Red Hat products are affected by this vulnerability. However, the vulnerable code cannot be reached and therefore are not vulnerable. Due to this reason, this flaw has been rated with a low severity.", "package_state" : [ { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "jenkins-2-plugins", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel8", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "OpenShift Developer Tools and Services", "fix_state" : "Affected", "package_name" : "ocp-tools-4/jenkins-rhel9", "cpe" : "cpe:/a:redhat:ocp_tools" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat build of Apache Camel for Spring Boot 4", "fix_state" : "Affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:camel_spring_boot:4" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "javapackages-tools:201801/maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven:3.9/maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "maven-wagon", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "streams for Apache Kafka 2", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:amq_streams:2" }, { "product_name" : "streams for Apache Kafka 3", "fix_state" : "Not affected", "package_name" : "mina-core", "cpe" : "cpe:/a:redhat:amq_streams:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41635\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41635\nhttps://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm" ], "name" : "CVE-2026-41635", "csaw" : false }