VIR Vulnerability Intelligence Relay

CVE-2026-41635

critical
Published 2026-04-27 · Modified 2026-05-07
CVSS v3
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
9.8

Description

Apache MINA vulnerable to Deserialization of Untrusted Data

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-41635

vendor Authored 2026-05-27

Vendor advisory: security@apache.org — https://lists.apache.org/thread/1l91w1mqsb3lwfd504fs045ylxntt2tm

OS impact
OSVersionStatusFixed in
debian debianforkyaffected
debian debiansidaffected
debian debiantrixieaffected
debian debianbookwormaffected
debian debianbullseyeaffected

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.apache.mina:mina-core>=2.0.0,<2.0.282.0.28
java Mavenorg.apache.mina:mina-core>=2.1.0,<2.1.112.1.11
java Mavenorg.apache.mina:mina-core>=2.2.0,<2.2.62.2.6
java MAVENorg.apache.mina:mina-core>= 2.2.0, < 2.2.62.2.6
java MAVENorg.apache.mina:mina-core>= 2.1.0, < 2.1.112.1.11
java MAVENorg.apache.mina:mina-core>= 2.0.0, < 2.0.282.0.28

Application impact
VendorProductVersionsFixed
apache apachemina{"startIncluding":"2.0.0","endExcluding":"2.0.28"}2.0.28

References

CWEs

CWE-502

Verify integrity in audit chain (admin only). AS-IS.