CVE-2026-34478
Log Injection vulnerability in log4j-core (Maven)
What is CVE-2026-34478 About?
Apache Log4j Core's `Rfc5424Layout` (versions 2.21.0-2.25.3) is vulnerable to log injection via CRLF sequences due to silently renamed security attributes. This can cause newline escaping to fail for TCP framing or downgrade TLS framing to unframed TCP, allowing attackers to inject arbitrary log lines. Exploitation is moderately easy for attackers who can control log content.
Affected Software
- org.apache.logging.log4j:log4j-core
- >=3.0.0-beta1, <=3.0.0-beta3
- >=2.21.0, <2.25.4
Technical Details
The Rfc5424Layout in Apache Log4j Core versions 2.21.0 through 2.25.3 suffers from log injection vulnerabilities stemming from undocumented renames of security-relevant configuration attributes. Specifically, the newLineEscape attribute was silently renamed, causing newline escaping to cease functioning for users of TCP framing (RFC 6587), making them susceptible to CRLF injection in log output. Additionally, the useTlsMessageFormat attribute was also silently renamed, which inadvertently causes users configured for TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587) without proper newline escaping, thereby also exposing them to CRLF injection. These issues allow attackers to inject arbitrary log entries by including CRLF sequences within their controlled log data, potentially forging log messages or obscuring legitimate events.
What is the Impact of CVE-2026-34478?
Successful exploitation may allow attackers to inject arbitrary log entries, forge log messages, obscure malicious activities, or bypass security monitoring by manipulating log output.
What is the Exploitability of CVE-2026-34478?
Exploitation complexity is moderate. No specific authentication or privileges are required beyond the ability to submit data that is eventually logged using the Rfc5424Layout. The attack can be performed remotely by injecting CRLF sequences into user-controlled input that is logged. The primary prerequisites are the use of the Rfc5424Layout in affected versions and the absence of prior sanitization of attacker-controlled input before logging. Users of SyslogAppender are explicitly stated to be unaffected. The risk is higher in applications that log raw user input to syslog services using stream-based protocols.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2026-34478?
Available Upgrade Options
- org.apache.logging.log4j:log4j-core
- >=2.21.0, <2.25.4 → Upgrade to 2.25.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://logging.apache.org/cyclonedx/vdr.xml
- https://osv.dev/vulnerability/GHSA-445c-vh5m-36rj
- https://logging.apache.org/security.html#CVE-2026-34478
- https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
- https://logging.apache.org/security.html#CVE-2026-34478
- https://logging.apache.org/cyclonedx/vdr.xml
- http://www.openwall.com/lists/oss-security/2026/04/10/7
- https://nvd.nist.gov/vuln/detail/CVE-2026-34478
- https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
- https://github.com/apache/logging-log4j2/pull/4074
What are Similar Vulnerabilities to CVE-2026-34478?
Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2021-45105 , CVE-2022-23307 , CVE-2022-23305
