Cyber Posture

CVE-2026-34478

High

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0015 35.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34478 is a high-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Apache Log4J. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 35.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Transmitted Data Manipulation (T1565.002). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the Log4j Rfc5424Layout flaw by requiring timely remediation through upgrade to version 2.25.4, which corrects the undocumented attribute renames and restores newline escaping.

CM-6 Configuration Settings good match
prevent

Requires establishment and enforcement of secure configuration settings for Rfc5424Layout, ensuring correct use of renamed attributes like newLineEscape and useTlsMessageFormat to prevent CRLF injection in syslog output.

SI-15 Information Output Filtering good match
prevent

Mandates filtering of log output prior to transmission to external syslog systems, neutralizing CRLF sequences from untrusted input to block log injection attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Log injection via CRLF in Rfc5424Layout enables manipulation of transmitted syslog data (forging/splitting messages, disrupting integrity); may facilitate command injection in log consumers.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:…

more

* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

Deeper analysisAI

CVE-2026-34478 is a log injection vulnerability in Apache Log4j Core's Rfc5424Layout, affecting versions 2.21.0 through 2.25.3. It stems from undocumented renames of security-relevant configuration attributes, enabling CRLF sequence injection in log output. The issue impacts users of stream-based syslog services who configure Rfc5424Layout directly: the newLineEscape attribute rename disables newline escaping for TCP framing (RFC 6587), while the useTlsMessageFormat attribute rename causes TLS framing (RFC 5425) configurations to downgrade silently to unframed TCP without newline escaping. Users of SyslogAppender remain unaffected, as its attributes were unchanged.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), achieving high integrity impact via injected CRLF sequences. Exploitation occurs when untrusted input reaches the layout, allowing attackers to forge or split syslog messages, potentially misleading downstream log parsers, enabling command injection in log consumers, or disrupting log integrity (CWE-117: Improper Output Neutralization for Logs, CWE-684: Incorrect Provision of Specified Functionality).

Apache advisories recommend upgrading to Log4j Core 2.25.4, which restores proper attribute handling and escaping. Mitigation details appear in the security bulletin at https://logging.apache.org/security.html#CVE-2026-34478, the fixing pull request at https://github.com/apache/logging-log4j2/pull/4074, and the mailing list announcement at https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt. The Rfc5424Layout documentation at https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout notes the attribute changes.

Details

CWE(s)
CWE-117CWE-684

Affected Products

apache
log4j
3.0.0 · 2.21.0 — 2.25.4

CVEs Like This One

CVE-2026-34480Same product: Apache Log4J
CVE-2026-34481Same product: Apache Log4J
CVE-2024-55532Same vendor: Apache
CVE-2025-66524Same vendor: Apache
CVE-2026-24308Same vendor: Apache
CVE-2026-30911Same vendor: Apache
CVE-2026-41602Same vendor: Apache
CVE-2025-62188Same vendor: Apache
CVE-2026-40010Same vendor: Apache
CVE-2026-39816Same vendor: Apache

References