CVE-2026-34478
CRLF Injection in Apache Log4j Rfc5424Layout via Renamed Attributes
Publication date: 2026-04-10
Last updated on: 2026-04-24
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | 3.0.0 |
| apache | log4j | From 2.21.0 (inc) to 2.25.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-117 | The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file. |
| CWE-684 | The code does not function according to its published specifications, potentially leading to incorrect usage. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Log4j Core's Rfc5424Layout allows log injection via CRLF sequences, which can enable attackers to inject malicious content into logs. This compromises the integrity and reliability of log files, potentially obscuring audit trails and hindering detection of malicious activities.
Since many compliance standards and regulations such as GDPR and HIPAA require accurate and tamper-evident logging for auditing and forensic purposes, this vulnerability can negatively impact compliance by undermining the trustworthiness of log data.
Remediation by upgrading to Apache Log4j Core version 2.25.4 or later is necessary to restore proper sanitization and prevent log injection, thereby helping maintain compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-34478 is a log injection vulnerability in Apache Log4j Core's Rfc5424Layout component, affecting versions 2.21.0 through 2.25.3. The issue arises because certain security-relevant configuration attributes were silently renamed during a migration to a builder pattern, causing the layout to stop properly escaping newline characters in logs. This leads to CRLF (Carriage Return Line Feed) injection, where attackers can insert malicious newline sequences into log entries.
Specifically, two attributes were renamed without documentation: 'newLineEscape' and 'useTlsMessageFormat'. The renaming caused newline escaping to stop working for TCP framing users and caused TLS framing users to be downgraded to unframed TCP without newline escaping. This allows attackers who can influence logged data to inject crafted log entries that manipulate or corrupt log files.
Users of the SyslogAppender are not affected because its configuration attributes were not changed. The vulnerability is fixed in Apache Log4j Core version 2.25.4, which restores support for the original documented attribute names and proper escaping.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers who can control or influence log input to inject malicious content into your log files. This log injection can corrupt or manipulate log data, potentially obscuring audit trails and making it difficult to detect malicious activities.
Because newline escaping is disabled due to the silent renaming of configuration attributes, attackers can insert CRLF sequences that break the structure of logs, leading to log forging or log splitting attacks.
Such manipulation can hinder forensic analysis, monitoring, and alerting systems that rely on the integrity of log data, increasing the risk of undetected security breaches.
The vulnerability affects users who configure Rfc5424Layout directly with TCP or TLS framing. Users relying on SyslogAppender are not affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Apache Log4j Core installation uses the Rfc5424Layout in versions 2.21.0 through 2.25.3 and if the configuration attributes newLineEscape or useTlsMessageFormat have been silently renamed or misconfigured, leading to potential CRLF injection.
Since the vulnerability is related to log injection via CRLF sequences due to configuration attribute renames, you can check your Log4j configuration files for the presence and correct naming of these attributes.
Suggested commands to detect vulnerable versions and configurations include:
- Check Log4j Core version installed: `java -jar log4j-core.jar --version` or check your application's dependency tree (e.g., `mvn dependency:tree` or `gradle dependencies`).
- Search configuration files for Rfc5424Layout usage and attribute names: `grep -r 'Rfc5424Layout' /path/to/config` and `grep -r 'newLineEscape' /path/to/config` or `grep -r 'useTlsMessageFormat' /path/to/config`.
- Inspect logs for suspicious CRLF injection patterns or unexpected log formatting anomalies that could indicate exploitation attempts.
Note: The provided resources do not contain explicit detection commands or network detection methods, so these suggestions are based on the nature of the vulnerability and typical investigative steps.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Apache Log4j Core to version 2.25.4 or later, which contains the fix for this vulnerability by restoring the correct configuration attribute names and ensuring proper escaping to prevent CRLF injection.
Users who configure Rfc5424Layout directly should verify their configuration attributes to ensure they use the documented attribute names such as newLineEscape and useTlsMessageFormat, as the fix restores support for these.
Users of the SyslogAppender are not affected by this vulnerability and do not need to take action related to this issue.
In summary, upgrade to Apache Log4j Core 2.25.4 or later and review your logging configuration to confirm correct attribute usage.