—

CVE-2026-34478PATCHED

Apache Software Foundation · Apache Log4j Core

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Description

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Affected Products

Vendor	Product	Versions
Apache Software Foundation	Apache Log4j Core	2.21.0, 3.0.0-beta1

References

https://github.com/apache/logging-log4j2/pull/4074(patch)
https://logging.apache.org/security.html#CVE-2026-34478(vendor-advisory)
https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout(related)
https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt(vendor-advisory)

Related News (2 articles)

Tier C

VulDB4h ago

CVE-2026-34478 | Apache Log4j Core up to 2.25.3/3.0.0-beta3 Configuration incorrect provision of specified functionality

→ No new info (linked only)

Tier C

oss-security7h ago

CVE-2026-34478: Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.25.4

CWECWE-684, CWE-117

PublishedApr 10, 2026

Last enriched4h agov3

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-34480EXP

Apache Log4j Core: Silent log event loss in XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 63

CRITICALCVE-2026-34477EXP

Apache Log4j Core: verifyHostName attribute silently ignored in TLS configuration, allowing hostname verification bypass

Trending: 60

NONECVE-2026-34479EXP

Apache Log4j 1 to Log4j 2 bridge: Silent log event loss in Log4j1XmlLayout due to unescaped XML 1.0 forbidden characters

Trending: 59

HIGHCVE-2026-29146

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Trending: 54

CRITICALCVE-2026-29145

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Trending: 47

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 10, 2026

Discovered by ZDM

Apr 10, 2026

Updated: affectedVersions, tags

Apr 10, 2026

Updated: severity, affectedVersions

Apr 10, 2026

Patch Available

Apr 10, 2026

Version History

Last enriched 4h ago

v3Tier C4h ago

Updated severity to HIGH, added new affected version 3.0.0-beta3, and corrected exploit availability status.

severityaffectedVersions

via VulDB

v2Tier C7h ago

Updated affected versions to include 3.0.0-beta2 and 3.0.0-beta3, changed severity to MEDIUM, and marked the vulnerability as actively exploited with an available exploit.

affectedVersionstags

via oss-security

v17h ago

Initial creation