Vulnerability-Lookup

SUSE-SU-2026:1843-1

Vulnerability from csaf_suse - Published: 2026-05-13 15:24 - Updated: 2026-05-13 15:24

Summary

Security update for log4j

Severity

Moderate

Notes

Title of the patch: Security update for log4j

Description of the patch: This update for log4j fixes the following issues: - CVE-2026-34477: TLS connections vulnerable to interception due to incomplete hostname verification configuration checks (bsc#1262050). - CVE-2026-34479: silent log event loss due to improper XML escaping in `Log4j1XmlLayout` (bsc#1262091). - CVE-2026-34480: silent log event loss due to improper XML escaping in `XmlLayout` (bsc#1262092). - CVE-2026-34481: silent log event loss due to improper serialization of non-finite floating-point values in `JsonTemplateLayout` (bsc#1262093).

Patchnames: SUSE-2026-1843,SUSE-SLE-Module-Basesystem-15-SP7-2026-1843

CVE-2026-34477

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix

Threats

Impact moderate

CVE-2026-34479

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix

Threats

Impact moderate

CVE-2026-34480

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix

Threats

Impact moderate

CVE-2026-34481

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch	—	Vendor Fix

Threats

Impact moderate

References

20 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-updates/2026…	self
https://bugzilla.suse.com/1262050	self
https://bugzilla.suse.com/1262091	self
https://bugzilla.suse.com/1262092	self
https://bugzilla.suse.com/1262093	self
https://www.suse.com/security/cve/CVE-2026-34477/	self
https://www.suse.com/security/cve/CVE-2026-34479/	self
https://www.suse.com/security/cve/CVE-2026-34480/	self
https://www.suse.com/security/cve/CVE-2026-34481/	self
https://www.suse.com/security/cve/CVE-2026-34477	external
https://bugzilla.suse.com/1262050	external
https://www.suse.com/security/cve/CVE-2026-34479	external
https://bugzilla.suse.com/1262091	external
https://www.suse.com/security/cve/CVE-2026-34480	external
https://bugzilla.suse.com/1262092	external
https://www.suse.com/security/cve/CVE-2026-34481	external
https://bugzilla.suse.com/1262093	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for log4j",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for log4j fixes the following issues:\n\n- CVE-2026-34477: TLS connections vulnerable to interception due to incomplete hostname verification configuration\n  checks (bsc#1262050).\n- CVE-2026-34479: silent log event loss due to improper XML escaping in `Log4j1XmlLayout` (bsc#1262091).\n- CVE-2026-34480: silent log event loss due to improper XML escaping in `XmlLayout` (bsc#1262092).\n- CVE-2026-34481: silent log event loss due to improper serialization of non-finite floating-point values in\n  `JsonTemplateLayout` (bsc#1262093).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-1843,SUSE-SLE-Module-Basesystem-15-SP7-2026-1843",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1843-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:1843-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261843-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:1843-1",
        "url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046426.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262050",
        "url": "https://bugzilla.suse.com/1262050"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262091",
        "url": "https://bugzilla.suse.com/1262091"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262092",
        "url": "https://bugzilla.suse.com/1262092"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262093",
        "url": "https://bugzilla.suse.com/1262093"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34477 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34477/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34479 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34479/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34480 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34480/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-34481 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-34481/"
      }
    ],
    "title": "Security update for log4j",
    "tracking": {
      "current_release_date": "2026-05-13T15:24:57Z",
      "generator": {
        "date": "2026-05-13T15:24:57Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:1843-1",
      "initial_release_date": "2026-05-13T15:24:57Z",
      "revision_history": [
        {
          "date": "2026-05-13T15:24:57Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "log4j-2.20.0-150200.4.33.1.noarch",
                "product": {
                  "name": "log4j-2.20.0-150200.4.33.1.noarch",
                  "product_id": "log4j-2.20.0-150200.4.33.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "log4j-bom-2.20.0-150200.4.33.1.noarch",
                "product": {
                  "name": "log4j-bom-2.20.0-150200.4.33.1.noarch",
                  "product_id": "log4j-bom-2.20.0-150200.4.33.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "log4j-javadoc-2.20.0-150200.4.33.1.noarch",
                "product": {
                  "name": "log4j-javadoc-2.20.0-150200.4.33.1.noarch",
                  "product_id": "log4j-javadoc-2.20.0-150200.4.33.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "log4j-jcl-2.20.0-150200.4.33.1.noarch",
                "product": {
                  "name": "log4j-jcl-2.20.0-150200.4.33.1.noarch",
                  "product_id": "log4j-jcl-2.20.0-150200.4.33.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "log4j-slf4j-2.20.0-150200.4.33.1.noarch",
                "product": {
                  "name": "log4j-slf4j-2.20.0-150200.4.33.1.noarch",
                  "product_id": "log4j-slf4j-2.20.0-150200.4.33.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15:sp7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "log4j-2.20.0-150200.4.33.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch"
        },
        "product_reference": "log4j-2.20.0-150200.4.33.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "log4j-javadoc-2.20.0-150200.4.33.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch"
        },
        "product_reference": "log4j-javadoc-2.20.0-150200.4.33.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "log4j-jcl-2.20.0-150200.4.33.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch"
        },
        "product_reference": "log4j-jcl-2.20.0-150200.4.33.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "log4j-slf4j-2.20.0-150200.4.33.1.noarch as component of SUSE Linux Enterprise Module for Basesystem 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
        },
        "product_reference": "log4j-slf4j-2.20.0-150200.4.33.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15 SP7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-34477",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34477"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the \u003cSsl\u003e element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested \u003cSsl\u003e element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34477",
          "url": "https://www.suse.com/security/cve/CVE-2026-34477"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262050 for CVE-2026-34477",
          "url": "https://bugzilla.suse.com/1262050"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-13T15:24:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34477"
    },
    {
      "cve": "CVE-2026-34479",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34479"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34479",
          "url": "https://www.suse.com/security/cve/CVE-2026-34479"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262091 for CVE-2026-34479",
          "url": "https://bugzilla.suse.com/1262091"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-13T15:24:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34479"
    },
    {
      "cve": "CVE-2026-34480",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34480"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Apache Log4j Core\u0027s  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34480",
          "url": "https://www.suse.com/security/cve/CVE-2026-34480"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262092 for CVE-2026-34480",
          "url": "https://bugzilla.suse.com/1262092"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-13T15:24:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34480"
    },
    {
      "cve": "CVE-2026-34481",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-34481"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Apache Log4j\u0027s  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses JsonTemplateLayout.\n  *  The application logs a MapMessage containing an attacker-controlled floating-point value.\n\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
          "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-34481",
          "url": "https://www.suse.com/security/cve/CVE-2026-34481"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262093 for CVE-2026-34481",
          "url": "https://bugzilla.suse.com/1262093"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-javadoc-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-jcl-2.20.0-150200.4.33.1.noarch",
            "SUSE Linux Enterprise Module for Basesystem 15 SP7:log4j-slf4j-2.20.0-150200.4.33.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-13T15:24:57Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-34481"
    }
  ]
}

CVE-2026-34477 (GCVE-0-2026-34477)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:36 – Updated: 2026-04-10 17:38

Title

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Summary

The fix for CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161 was incomplete: it addressed hostname verification only when enabled via the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property, but not when configured through the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName attribute of the <Ssl> element. Although the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value. A network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met: * An SMTP, Socket, or Syslog appender is in use. * TLS is configured via a nested <Ssl> element. * The attacker can present a certificate issued by a CA trusted by the appender's configured trust store, or by the default Java trust store if none is configured. This issue does not affect users of the HTTP appender, which uses a separate verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName attribute that was not subject to this bug and verifies host names by default. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-297 - Improper Validation of Certificate with Host Mismatch

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4075	patch
https://logging.apache.org/security.html#CVE-2026-34477	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/appen…	related
https://lists.apache.org/thread/lkx8cl46t2bvkcwfc…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.12.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Samuli Leinonen (original reporter) Naresh Kandula (independently) Vitaly Simonovich (independently) Raijuna (independently) Danish Siddiqui (djvirus, independently) Markus Magnuson (independently) Haruki Oyama (Waseda University, independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34477",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:36:46.652477Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:38:57.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.12.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Samuli Leinonen (original reporter)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Naresh Kandula (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Vitaly Simonovich (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Raijuna (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Danish Siddiqui (djvirus, independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Markus Magnuson (independently)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Haruki Oyama (Waseda University, independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe fix for \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/security.html#CVE-2025-68161\"\u003eCVE-2025-68161\u003c/a\u003e was incomplete: it addressed hostname verification only when enabled via the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName\"\u003e\u003ccode\u003elog4j2.sslVerifyHostName\u003c/code\u003e\u003c/a\u003e system property, but not when configured through the \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName\"\u003everifyHostName\u003c/a\u003e\u003c/code\u003e attribute of the \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\u003cp\u003eAlthough the \u003ccode\u003everifyHostName\u003c/code\u003e configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\u003c/p\u003e\u003cp\u003eA network-based attacker may be able to perform a man-in-the-middle attack when \u003cstrong\u003eall\u003c/strong\u003e of the following conditions are met:\u003c/p\u003e\u003col\u003e\u003cli\u003eAn SMTP, Socket, or Syslog appender is in use.\u003c/li\u003e\u003cli\u003eTLS is configured via a nested \u003ccode\u003e\u0026lt;Ssl\u0026gt;\u003c/code\u003e element.\u003c/li\u003e\u003cli\u003eThe attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eThis issue does not affect users of the HTTP appender, which uses a separate \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName\"\u003everifyHostname\u003c/a\u003e\u003c/code\u003e attribute that was not subject to this bug and verifies host names by default.\u003c/p\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "The fix for  CVE-2025-68161 https://logging.apache.org/security.html#CVE-2025-68161  was incomplete: it addressed hostname verification only when enabled via the  log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName  system property, but not when configured through the  verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName  attribute of the \u003cSsl\u003e element.\n\nAlthough the verifyHostName configuration attribute was introduced in Log4j Core 2.12.0, it was silently ignored in all versions through 2.25.3, leaving TLS connections vulnerable to interception regardless of the configured value.\n\nA network-based attacker may be able to perform a man-in-the-middle attack when all of the following conditions are met:\n\n  *  An SMTP, Socket, or Syslog appender is in use.\n  *  TLS is configured via a nested \u003cSsl\u003e element.\n  *  The attacker can present a certificate issued by a CA trusted by the appender\u0027s configured trust store, or by the default Java trust store if none is configured.\nThis issue does not affect users of the HTTP appender, which uses a separate  verifyHostname https://logging.apache.org/log4j/2.x/manual/appenders/network.html#HttpAppender-attr-verifyHostName  attribute that was not subject to this bug and verifies host names by default.\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-297",
              "description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:36:19.740Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4075"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34477"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/lkx8cl46t2bvkcwfcb2pd43ygc097lq4"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-20T19:05:00.000Z",
          "value": "Vulnerability reported by Samuli Leinonen"
        },
        {
          "lang": "en",
          "time": "2025-12-30T22:57:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-02-25T19:35:00.000Z",
          "value": "Independent report received from Naresh Kandula"
        },
        {
          "lang": "en",
          "time": "2026-03-01T23:01:00.000Z",
          "value": "Independent report received from Vitaly Simonovich"
        },
        {
          "lang": "en",
          "time": "2026-03-02T06:31:00.000Z",
          "value": "Independent report received from Raijuna"
        },
        {
          "lang": "en",
          "time": "2026-03-08T18:17:00.000Z",
          "value": "Independent report received from Danish Siddiqui"
        },
        {
          "lang": "en",
          "time": "2026-03-19T09:46:00.000Z",
          "value": "Independent report received from Markus Magnuson"
        },
        {
          "lang": "en",
          "time": "2026-03-21T11:13:00.000Z",
          "value": "Independent report received from Haruki Oyama"
        },
        {
          "lang": "en",
          "time": "2026-03-24T19:46:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4075"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34477",
    "datePublished": "2026-04-10T15:36:19.740Z",
    "dateReserved": "2026-03-28T11:26:04.052Z",
    "dateUpdated": "2026-04-10T17:38:57.154Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34479 (GCVE-0-2026-34479)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:41 – Updated: 2026-04-10 17:47

Title

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records. Two groups of users are affected: * Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file. * Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class. Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue. Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4078	patch
https://logging.apache.org/security.html#CVE-2026-34479	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/migrate-from…	related
https://lists.apache.org/thread/gd0hp6mj17rn3kj27…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j 1 to Log4j 2 bridge	Affected: 2.7 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta2 (maven) cpe:2.3:a:apache:log4j_1_2_api::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:18.699Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/8"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34479",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:45:24.466114Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:47:34.402Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_1_2_api:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-1.2-api",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-1.2-api",
          "product": "Apache Log4j 1 to Log4j 2 bridge",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.7",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta2",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eThe \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\u003c/p\u003e\u003cp\u003eTwo groups of users are affected:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThose using \u003ccode\u003eLog4j1XmlLayout\u003c/code\u003e directly in a Log4j Core 2 configuration file.\u003c/li\u003e\u003cli\u003eThose using the Log4j 1 configuration compatibility layer with \u003ccode\u003eorg.apache.log4j.xml.XMLLayout\u003c/code\u003e specified as the layout class.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eNote:\u003c/strong\u003e The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html\"\u003eLog4j 1 to Log4j 2 migration guide\u003c/a\u003e, and specifically the section on eliminating reliance on the bridge.\u003c/p\u003e"
            }
          ],
          "value": "The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.\n\nTwo groups of users are affected:\n\n  *  Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.\n  *  Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.\n\n\nUsers are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.\n\nNote: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the  Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:41:07.888Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4078"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34479"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:56:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4078"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34479",
    "datePublished": "2026-04-10T15:41:07.888Z",
    "dateReserved": "2026-03-28T14:06:31.965Z",
    "dateUpdated": "2026-04-10T17:47:34.402Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34480 (GCVE-0-2026-34480)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:42 – Updated: 2026-04-10 17:45

Title

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Summary

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Severity

6.9 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4077	patch
https://logging.apache.org/security.html#CVE-2026-34480	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/layou…	related
https://lists.apache.org/thread/5x0hcnng0chhghp6j…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j Core	Affected: 2.0-alpha1 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters) jabaltarik1 (independently)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:19.775Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/9"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34480",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:43:51.255638Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:45:07.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-core",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
          "product": "Apache Log4j Core",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.0-alpha1",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie) (original reporters)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "jabaltarik1 (independently)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j Core\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout\"\u003eXmlLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, fails to sanitize characters forbidden by the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://www.w3.org/TR/xml/#charsets\"\u003eXML 1.0 specification\u003c/a\u003e producing invalid XML output whenever a log message or MDC value contains such characters.\u003c/p\u003e\u003cp\u003eThe impact depends on the StAX implementation in use:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003eJRE built-in StAX:\u003c/strong\u003e Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAlternative StAX implementations\u003c/strong\u003e (e.g., \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://github.com/FasterXML/woodstox\"\u003eWoodstox\u003c/a\u003e, a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core \u003ccode\u003e2.25.4\u003c/code\u003e, which corrects this issue by sanitizing forbidden characters before XML output.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j Core\u0027s  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j\u0027s internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:42:03.843Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4077"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34480"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T17:11:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:15:00.000Z",
          "value": "Candidate patch shared internally by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-15T05:39:00.000Z",
          "value": "Independent report received from jabaltarik1"
        },
        {
          "lang": "en",
          "time": "2026-03-24T18:52:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4077"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:46:00.000Z",
          "value": "Fix verified by reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34480",
    "datePublished": "2026-04-10T15:42:03.843Z",
    "dateReserved": "2026-03-28T15:29:27.095Z",
    "dateUpdated": "2026-04-10T17:45:07.434Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-34481 (GCVE-0-2026-34481)

Vulnerability from cvelistv5 – Published: 2026-04-10 15:43 – Updated: 2026-04-10 17:41

Title

Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout

Summary

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

CWE

CWE-116 - Improper Encoding or Escaping of Output

Assigner

apache

References

5 references

URL	Tags
https://github.com/apache/logging-log4j2/pull/4080	patch
https://logging.apache.org/security.html#CVE-2026-34481	vendor-advisory
https://logging.apache.org/cyclonedx/vdr.xml	vendor-advisory
https://logging.apache.org/log4j/2.x/manual/json-…	related
https://lists.apache.org/thread/n34zdv00gbkdbzt2r…	vendor-advisory

Impacted products

1 product

Vendor	Product	Version
Apache Software Foundation	Apache Log4j JSON Template Layout	Affected: 2.14.0 , < 2.25.4 (maven) Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j_layout_template_json::::::::

Credits

Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-04-10T16:18:20.891Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/04/10/10"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-34481",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-10T17:41:23.224802Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-10T17:41:38.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "cpes": [
            "cpe:2.3:a:apache:log4j_layout_template_json:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "packageName": "org.apache.logging.log4j:log4j-layout-template-json",
          "packageURL": "pkg:maven/org.apache.logging.log4j/log4j-layout-template-json",
          "product": "Apache Log4j JSON Template Layout",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "2.25.4",
              "status": "affected",
              "version": "2.14.0",
              "versionType": "maven"
            },
            {
              "lessThanOrEqual": "3.0.0-beta3",
              "status": "affected",
              "version": "3.0.0-alpha1",
              "versionType": "maven"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Ap4sh (Samy Medjahed) and Ethicxz (Eliott Laurie)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eApache Log4j\u0027s \u003ccode\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/json-template-layout.html\"\u003eJsonTemplateLayout\u003c/a\u003e\u003c/code\u003e, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (\u003ccode\u003eNaN\u003c/code\u003e, \u003ccode\u003eInfinity\u003c/code\u003e, or \u003ccode\u003e-Infinity\u003c/code\u003e), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\u003c/p\u003e\u003cp\u003eAn attacker can exploit this issue only if both of the following conditions are met:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe application uses \u003ccode\u003eJsonTemplateLayout\u003c/code\u003e.\u003c/li\u003e\u003cli\u003eThe application logs a \u003ccode\u003eMapMessage\u003c/code\u003e containing an attacker-controlled floating-point value.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.\u003c/p\u003e"
            }
          ],
          "value": "Apache Log4j\u0027s  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.\n\nAn attacker can exploit this issue only if both of the following conditions are met:\n\n  *  The application uses JsonTemplateLayout.\n  *  The application logs a MapMessage containing an attacker-controlled floating-point value.\n\n\nUsers are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-116",
              "description": "CWE-116 Improper Encoding or Escaping of Output",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-10T15:43:00.100Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/apache/logging-log4j2/pull/4080"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/security.html#CVE-2026-34481"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://logging.apache.org/cyclonedx/vdr.xml"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://logging.apache.org/log4j/2.x/manual/json-template-layout.html"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-16T18:14:00.000Z",
          "value": "Vulnerability reported by Ap4sh and ethicxz"
        },
        {
          "lang": "en",
          "time": "2026-03-10T20:42:00.000Z",
          "value": "Candidate patch internally shared by Piotr P. Karwasz"
        },
        {
          "lang": "en",
          "time": "2026-03-24T23:06:00.000Z",
          "value": "Fix shared publicly by Piotr P. Karwasz as pull request #4080"
        },
        {
          "lang": "en",
          "time": "2026-03-25T09:54:00.000Z",
          "value": "Fix verified by the reporter"
        },
        {
          "lang": "en",
          "time": "2026-03-28T11:19:00.000Z",
          "value": "Log4j 2.25.4 released"
        }
      ],
      "title": "Apache Log4j JSON Template Layout: Improper serialization of non-finite floating-point values in JsonTemplateLayout",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-34481",
    "datePublished": "2026-04-10T15:43:00.100Z",
    "dateReserved": "2026-03-28T19:23:37.127Z",
    "dateUpdated": "2026-04-10T17:41:38.229Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:1843-1

CVE-2026-34477 (GCVE-0-2026-34477)

CVE-2026-34479 (GCVE-0-2026-34479)

CVE-2026-34480 (GCVE-0-2026-34480)

CVE-2026-34481 (GCVE-0-2026-34481)

Tags

Sightings

Nomenclature