CVE-2026-34478
Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/04/2026
Última modificación:
10/04/2026
Descripción
*** Pendiente de traducción *** Apache Log4j Core&#39;s Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.<br />
<br />
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:<br />
<br />
* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.<br />
* The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.<br />
<br />
<br />
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.<br />
<br />
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Impacto
Puntuación base 4.0
6.90
Gravedad 4.0
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/apache/logging-log4j2/pull/4074
- https://lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout
- https://logging.apache.org/security.html#CVE-2026-34478
- http://www.openwall.com/lists/oss-security/2026/04/10/7