Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
2802 articles · 174869 vulns · 37/41 feeds (7d)
← Back to list
—
CVE-2026-49844EXPLOITEDPATCHED
apache · log4j api

Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()

Description

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. The defect is reachable only when both of the following conditions hold: * The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}). * The application logs a MapMessage that contains an attacker-controlled floating-point value. An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.

Affected Products

VendorProductVersions
apachelog4j api2.13.1, 2.26.0, 3.0.0-alpha1

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apachelog4cxxcert_advisory90%
apachelog4jcert_advisory90%

References

  • https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message(related)
  • https://github.com/apache/logging-log4j2/pull/4163(patch)
  • https://logging.apache.org/cyclonedx/vdr.xml(vendor-advisory)
  • https://logging.apache.org/security.html#CVE-2026-49844(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories2h ago
[NEU] [mittel] Apache log4j und Log4cxx: Mehrere Schwachstellen ermöglichen Manipulation von Dateien
→ No new info (linked only)
Tier C
oss-security2d ago
CVE-2026-49844: Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
→ No new info (linked only)
Tier C
VulDB2d ago
CVE-2026-49844 | Apache Log4j API up to 2.25.4/2.26.0 MapMessage MapMessage.asJson encoding error
→ No new info (linked only)
CISA KEV❌ No
Actively exploited✅ Yes
Patch available
2.25.52.26.1
CWECWE-116
PublishedJul 10, 2026
Last enriched2d agov2
Tags
CVE-2026-49844
Trending Score65
Source articles3
Independent3
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-40008EXP
Apache IoTDB: Arbitrary Class Instantiation via Pipe Transfer RPC
Trending: 48
CRITICALCVE-2026-40005EXP
Apache IoTDB: Path Traversal in Pipe File Transfer Receiver
Trending: 48
CRITICALCVE-2026-28564EXP
Apache IoTDB: REST Basic Authentication Accepts Stale Cached Credentials
Trending: 48
HIGHCVE-2026-40452EXP
Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users
Trending: 43
HIGHCVE-2026-40454EXP
Apache IoTDB C++ client: Out-of-bounds reads in C++ client TsBlock deserializer crash client process on malformed server data
Trending: 43

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 10, 2026
Actively Exploited
Jul 10, 2026
Patch Available
Jul 10, 2026
Discovered by ZDM
Jul 10, 2026
Updated: severity, activelyExploited, tags
Jul 10, 2026

Version History

v2
Last enriched 2d ago
v2Tier C2d ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploitedtags
via VulDB
v12d ago

Initial creation