CVE-2026-34481
Published: 10 April 2026
Summary
CVE-2026-34481 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Apache Log4J. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Indicator Blocking (T1562.006); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely remediation through upgrading Log4j JsonTemplateLayout to version 2.25.4, which properly handles non-finite floating-point values.
Requires validation of attacker-controlled inputs to logging MapMessages to reject or sanitize non-finite floating-point values before they produce invalid JSON.
Addresses downstream log rejection or processing failures by requiring automated alerts and responses to audit logging process issues caused by malformed JSON output.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows injection of non-finite floats into MapMessages logged via JsonTemplateLayout, producing malformed JSON rejected by downstream processors. This directly facilitates blocking log events from being indexed/processed, enabling indicator blocking as part of impairing defenses.
NVD Description
Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems…
more
to reject or fail to index affected records. An attacker can exploit this issue only if both of the following conditions are met: * The application uses JsonTemplateLayout. * The application logs a MapMessage containing an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
Deeper analysisAI
CVE-2026-34481 affects Apache Log4j's JsonTemplateLayout component in versions up to and including 2.25.3. This layout produces invalid JSON output when log events contain non-finite floating-point values such as NaN, Infinity, or -Infinity, which violate RFC 8259 standards. As a result, downstream log processing systems may reject or fail to index the affected log records, leading to potential loss of logging data. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Exploitation requires an application that both uses JsonTemplateLayout for logging and logs a MapMessage containing an attacker-controlled floating-point value. An unauthenticated remote attacker meeting these conditions can inject non-finite values, causing the generated JSON to be malformed. This disrupts log ingestion in downstream systems without direct confidentiality or availability impacts, but with high integrity consequences for logging reliability.
Apache advises users to upgrade to Log4j JSON Template Layout version 2.25.4, which resolves the issue by properly handling non-finite floating-point values. Detailed information is available in the official Apache Log4j security advisory at https://logging.apache.org/security.html#CVE-2026-34481, the related GitHub pull request at https://github.com/apache/logging-log4j2/pull/4080, and the mailing list announcement at https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv.
Details
- CWE(s)