Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
Summary
| CVE | CVE-2026-34478 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-10 16:16:31 UTC |
| Updated | 2026-04-10 17:17:02 UTC |
| Description | Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue. |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Problem Types: CWE-117 | CWE-684 | CWE-684 CWE-684 Incorrect Provision of Specified Functionality | CWE-117 CWE-117 Improper Output Neutralization for Logs
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowAttack Requirements
NonePrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
NoneSub Conf.
NoneSub Integrity
LowSub Availability
NoneCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Log4j Core | affected 2.21.0 2.25.4 maven | Not specified |
| CNA | Apache Software Foundation | Apache Log4j Core | affected 3.0.0-beta1 3.0.0-beta3 maven | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt | [email protected] | lists.apache.org | |
| logging.apache.org/security.html | [email protected] | logging.apache.org | |
| github.com/apache/logging-log4j2/pull/4074 | [email protected] | github.com | |
| logging.apache.org/log4j/2.x/manual/layouts.html | [email protected] | logging.apache.org | |
| logging.apache.org/cyclonedx/vdr.xml | [email protected] | logging.apache.org | |
| www.openwall.com/lists/oss-security/2026/04/10/7 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Samuli Leinonen (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2025-12-25T12:58:00.000Z | Vulnerability reported by Samuli Leinonen |
| CNA | 2026-03-10T16:00:00.000Z | Candidate patch shared internally by Piotr P. Karwasz |
| CNA | 2026-03-24T18:41:00.000Z | Fix shared publicly by Piotr P. Karwasz as pull request #4074 |
| CNA | 2026-03-25T11:02:00.000Z | Fix verified by reporter |
| CNA | 2026-03-28T11:19:00.000Z | Log4j 2.25.4 released |
There are currently no legacy QID mappings associated with this CVE.