Cyber Resilience

CVE-2026-34481

Medium

Published: 10 April 2026

Published
10 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0056 42.0th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-34481 is a medium-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Log4J. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify Tools (T1685); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34481 affects Apache Log4j's JsonTemplateLayout component in versions up to and including 2.25.3. This layout produces invalid JSON output when log events contain non-finite floating-point values such as NaN, Infinity, or -Infinity, which violate RFC 8259 standards. As a result, downstream log processing systems may reject or fail to index the affected log records, leading to potential loss of logging data. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Exploitation requires an application that both uses JsonTemplateLayout for logging and logs a MapMessage containing an attacker-controlled floating-point value. An unauthenticated remote attacker meeting these conditions can inject non-finite values, causing the generated JSON to be malformed. This disrupts log ingestion in downstream systems without direct confidentiality or availability impacts, but with high integrity consequences for logging reliability.

Apache advises users to upgrade to Log4j JSON Template Layout version 2.25.4, which resolves the issue by properly handling non-finite floating-point values. Detailed information is available in the official Apache Log4j security advisory at https://logging.apache.org/security.html#CVE-2026-34481, the related GitHub pull request at https://github.com/apache/logging-log4j2/pull/4080, and the mailing list announcement at https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems…

more

to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

The vulnerability allows injection of non-finite floats into MapMessages logged via JsonTemplateLayout, producing malformed JSON rejected by downstream processors. This directly facilitates blocking log events from being indexed/processed, enabling indicator blocking as part of impairing defenses.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34480Same product: Apache Log4J
CVE-2026-34478Same product: Apache Log4J
CVE-2026-34483Same vendor: Apache
CVE-2026-42810Same vendor: Apache
CVE-2026-31910Same vendor: Apache
CVE-2025-30067Same vendor: Apache
CVE-2026-31909Same vendor: Apache
CVE-2026-24734Same vendor: Apache
CVE-2025-59059Same vendor: Apache
CVE-2026-41602Same vendor: Apache

Affected Assets

apache
log4j
3.0.0 · 2.14.0 — 2.25.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through upgrading Log4j JsonTemplateLayout to version 2.25.4, which properly handles non-finite floating-point values.

prevent

Requires validation of attacker-controlled inputs to logging MapMessages to reject or sanitize non-finite floating-point values before they produce invalid JSON.

detectrespond

Addresses downstream log rejection or processing failures by requiring automated alerts and responses to audit logging process issues caused by malformed JSON output.

References