CVE-2026-34478

Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility

Assigner: apache
Reserved: 28.03.2026 Published: 10.04.2026 Updated: 10.04.2026

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CVSS Score: 6.9

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Apache Software Foundation
Product	Apache Log4j Core
Versions	Default: unaffected affected from 2.21.0 to 2.25.4 (excl.) affected from 3.0.0-beta1 to 3.0.0-beta3 (incl.)

Vendor

Apache Software Foundation

Product

Apache Log4j Core

Versions

Default: unaffected

affected from 2.21.0 to 2.25.4 (excl.)
affected from 3.0.0-beta1 to 3.0.0-beta3 (incl.)

Credits

Samuli Leinonen finder

References

Problem Types