CVE-2026-34481
Gravedad CVSS v4.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
10/04/2026
Última modificación:
10/04/2026
Descripción
*** Pendiente de traducción *** Apache Log4j&#39;s JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.<br />
<br />
An attacker can exploit this issue only if both of the following conditions are met:<br />
<br />
* The application uses JsonTemplateLayout.<br />
* The application logs a MapMessage containing an attacker-controlled floating-point value.<br />
<br />
<br />
Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.
Impacto
Puntuación base 4.0
6.30
Gravedad 4.0
MEDIA
Referencias a soluciones, herramientas e información
- https://github.com/apache/logging-log4j2/pull/4080
- https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv
- https://logging.apache.org/cyclonedx/vdr.xml
- https://logging.apache.org/log4j/2.x/manual/json-template-layout.html
- https://logging.apache.org/security.html#CVE-2026-34481
- http://www.openwall.com/lists/oss-security/2026/04/10/10