CVE-2026-40021
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
10/04/2026
Last modified:
10/04/2026
Description
Apache Log4net&#39;s XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.<br />
<br />
An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.<br />
<br />
Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/apache/logging-log4net/pull/280
- https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4net/manual/configuration/layouts.html
- https://logging.apache.org/security.html#CVE-2026-40021
- http://www.openwall.com/lists/oss-security/2026/04/10/11