{
  "threat_severity" : "Low",
  "public_date" : "2026-04-27T08:59:50Z",
  "bugzilla" : {
    "description" : "Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass",
    "id" : "2463177",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463177"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "Apache MINA's AbstractIoBuffer.resolveClass() contains two branches, one of them (for static classes or primitive types) does not check the class at all, bypassing the classname allowlist and allowing arbitrary code to be executed.\nThe fix checks if the class is present in the accepted class filter before calling Class.forName(). \nAffected versions are Apache MINA 2.0.0 <= 2.0.27, 2.1.0 <= 2.1.10, and\n2.2.0 <= 2.2.5.\nThe problem is resolved in Apache MINA 2.0.28, 2.1.11, and 2.2.6 by \napplying the classname allowlist earlier.\nAffected are applications using Apache MINA that call  IoBuffer.getObject().\nApplications using Apache MINA are advised to upgrade.", "A flaw was found in Apache MINA. A remote attacker could exploit a vulnerability in the `AbstractIoBuffer.resolveClass()` method, which failed to properly validate class names for static classes or primitive types. This bypasses the intended security control, known as a classname allowlist, allowing an attacker to execute arbitrary code on systems running applications that use Apache MINA and call `IoBuffer.getObject()`. This could lead to a complete compromise of the affected system." ],
  "statement" : "Red Hat products are affected by this vulnerability. However, the vulnerable code cannot be reached and therefore are not vulnerable. Due to this reason, this flaw has been rated with a low severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17668",
    "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18",
    "package" : "mina-core"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "jenkins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "ocp-tools-4/jenkins-rhel8",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "OpenShift Developer Tools and Services",
    "fix_state" : "Affected",
    "package_name" : "ocp-tools-4/jenkins-rhel9",
    "cpe" : "cpe:/a:redhat:ocp_tools"
  }, {
    "product_name" : "Red Hat AMQ Broker 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_broker:7"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "javapackages-tools:201801/maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "maven:3.9/maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "maven-wagon",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "streams for Apache Kafka 2",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_streams:2"
  }, {
    "product_name" : "streams for Apache Kafka 3",
    "fix_state" : "Not affected",
    "package_name" : "mina-core",
    "cpe" : "cpe:/a:redhat:amq_streams:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-41635\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-41635\nhttps://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm" ],
  "name" : "CVE-2026-41635",
  "csaw" : false
}