CVE-2026-49844
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
10/07/2026
Last modified:
10/07/2026
Description
Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0.<br />
<br />
The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document.<br />
<br />
The defect is reachable only when both of the following conditions hold:<br />
<br />
* The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}).<br />
* The application logs a MapMessage that contains an attacker-controlled floating-point value.<br />
<br />
<br />
An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing.<br />
<br />
Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.
Impact
Base Score 4.0
6.30
Severity 4.0
MEDIUM



