Description
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.

An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.
Published: 2026-04-10
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Audit trail suppression
Action: Immediate patch
AI Analysis

Impact

Apache Log4net’s XmlLayout and XmlLayoutSchemaLog4J fail to escape characters forbidden by the XML 1.0 specification found in MDC property keys and values and in the identity field. When these characters are present, an exception occurs during serialization, causing the entire log event to be silently dropped. This loss of log records directly undermines the reliability of audit logs, which can prevent detection of malicious activity. The weakness is a classic example of improper input sanitization (CWE‑116).

Affected Systems

The vulnerability affects Apache Log4net libraries released before version 3.3.0. All deployments of Log4net running those older versions are susceptible, regardless of specific host or operating system, as the issue is confined to the library itself.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, but since the exploitation requires an attacker to inject or influence data that ends up in MDC keys, values, or the identity field, the attack vector is typically through application inputs that are logged. The exact probability of exploitation is unknown because EPSS data are not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker with the ability to control these fields could quietly remove specific log entries, thereby erasing evidence of their activity and weakening defensive monitoring.

Generated by OpenCVE AI on April 10, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Log4net to version 3.3.0 or later, which corrects the input sanitization flaw.

Generated by OpenCVE AI on April 10, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4f7c-pmjv-c25w Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Fri, 10 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event. An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity. Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.
Title Apache Log4net: Silent log event loss in XmlLayout and XmlLayoutSchemaLog4J due to unescaped XML 1.0 forbidden characters
First Time appeared Apache
Apache log4net
Weaknesses CWE-116
CPEs cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache log4net
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Apache Log4net
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T17:35:01.228Z

Reserved: 2026-04-08T10:03:43.840Z

Link: CVE-2026-40021

cve-icon Vulnrichment

Updated: 2026-04-10T16:18:21.980Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T16:16:32.420

Modified: 2026-04-22T14:13:45.013

Link: CVE-2026-40021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:01:10Z

Weaknesses