The vulnerability stems from insecure Java deserialization in the CompatibleObjectInputStream class. The pre-patch implementation extended ObjectInputStream directly without security controls. The critical fix changed the superclass to ObjectInputStreamEx and added ClassFilter.DEFAULT in the constructor - Jenkins' mechanism for safe deserialization per JEP-200. The added test Security2376Test demonstrates that without these protections, deserialization of unsafe types (like IdentityHashMap) would be allowed, leading to RCE. The constructor's failure to implement deserialization filtering was the root cause.