Description
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.

Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
* The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.


Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Published: 2026-04-10
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Log injection via CRLF sequences that bypasses newline escaping, allowing malicious log forging
Action: Immediate Patch
AI Analysis

Impact

Apache Log4j Core's Rfc5424Layout formats syslog messages according to RFC5424. The flaw is caused by undocumented silent renaming of two configuration attributes—newLineEscape and useTlsMessageFormat. When these attributes are altered, newline escaping fails for TCP framing and TLS framing connections are silently downgraded to unframed TCP. As a result, an attacker can inject CRLF sequences into the log output, forging log lines or manipulating log parsing. This is a log injection vulnerability that undermines the integrity of log data and could facilitate later attacks such as credential theft or concealment of malicious activity.

Affected Systems

The vulnerability impacts all users of Apache Log4j Core versions 2.21.0 through 2.25.3 that configure Rfc5424Layout directly. SyslogAppender users are not affected because their configuration attributes remain unchanged. The affected vendor is the Apache Software Foundation and the product is Apache Log4j Core.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Nevertheless, attackers can potentially exploit it remotely by sending crafted messages to a system that logs through Rfc5424Layout, achieving log forging or manipulation. Organizations should treat the risk as moderate and apply fixes promptly.

Generated by OpenCVE AI on April 14, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the Log4j Core version in use. Upgrade to version 2.25.4 or later, which restores the correct configuration behavior. Confirm that Rfc5424Layout is configured correctly after the upgrade. Monitor log files for any unusual CRLF injection patterns during the transition.

Generated by OpenCVE AI on April 14, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-445c-vh5m-36rj Apache Log4j Core: log injection in `Rfc5424Layout` due to silent configuration incompatibility
History

Fri, 24 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:apache:log4j:3.0.0:beta3:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 14 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-93
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N'}

threat_severity

Moderate

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly: * The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. * The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping. Users of the SyslogAppender are not affected, as its configuration attributes were not modified. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
Title Apache Log4j Core: Log injection in Rfc5424Layout due to silent configuration incompatibility
First Time appeared Apache
Apache log4j
Weaknesses CWE-117
CWE-684
CPEs cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4j
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4j
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:50:12.484Z

Reserved: 2026-03-28T13:17:35.586Z

Link: CVE-2026-34478

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:17.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:31.070

Modified: 2026-04-24T18:10:57.370

Link: CVE-2026-34478

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-10T15:40:17Z

Links: CVE-2026-34478 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:26Z

Weaknesses