Cyber Resilience

CVE-2026-34478

Medium

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 10.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34478 is a medium-severity Improper Output Neutralization for Logs (CWE-117) vulnerability in Apache Log4J. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Transmitted Data Manipulation (T1565.002); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-34478 is a log injection vulnerability in Apache Log4j Core's Rfc5424Layout, affecting versions 2.21.0 through 2.25.3. It stems from undocumented renames of security-relevant configuration attributes, enabling CRLF sequence injection in log output. The issue impacts users of stream-based syslog services who configure Rfc5424Layout directly: the newLineEscape attribute rename disables newline escaping for TCP framing (RFC 6587), while the useTlsMessageFormat attribute rename causes TLS framing (RFC 5425) configurations to downgrade silently to unframed TCP without newline escaping. Users of SyslogAppender remain unaffected, as its attributes were unchanged.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity (CVSS 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), achieving high integrity impact via injected CRLF sequences. Exploitation occurs when untrusted input reaches the layout, allowing attackers to forge or split syslog messages, potentially misleading downstream log parsers, enabling command injection in log consumers, or disrupting log integrity (CWE-117: Improper Output Neutralization for Logs, CWE-684: Incorrect Provision of Specified Functionality).

Apache advisories recommend upgrading to Log4j Core 2.25.4, which restores proper attribute handling and escaping. Mitigation details appear in the security bulletin at https://logging.apache.org/security.html#CVE-2026-34478, the fixing pull request at https://github.com/apache/logging-log4j2/pull/4074, and the mailing list announcement at https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt. The Rfc5424Layout documentation at https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout notes the attribute changes.

EU & UK References

Vulnerability details

Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:…

more

* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.002 Transmitted Data Manipulation Impact
Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Log injection via CRLF in Rfc5424Layout enables manipulation of transmitted syslog data (forging/splitting messages, disrupting integrity); may facilitate command injection in log consumers.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34480Same product: Apache Log4J
CVE-2026-34481Same product: Apache Log4J
CVE-2026-41604Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-30911Same vendor: Apache
CVE-2025-54550Same vendor: Apache
CVE-2026-30912Same vendor: Apache
CVE-2026-42252Same vendor: Apache
CVE-2026-42809Same vendor: Apache
CVE-2026-41873Same vendor: Apache

Affected Assets

apache
log4j
3.0.0 · 2.21.0 — 2.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the Log4j Rfc5424Layout flaw by requiring timely remediation through upgrade to version 2.25.4, which corrects the undocumented attribute renames and restores newline escaping.

prevent

Requires establishment and enforcement of secure configuration settings for Rfc5424Layout, ensuring correct use of renamed attributes like newLineEscape and useTlsMessageFormat to prevent CRLF injection in syslog output.

prevent

Mandates filtering of log output prior to transmission to external syslog systems, neutralizing CRLF sequences from untrusted input to block log injection attacks.

References