Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
Users of the SyslogAppender are not affected, as its configuration attributes were not modified.
Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue.
{
"cwe_ids": [
"CWE-117",
"CWE-684"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34478.json",
"cna_assigner": "apache"
}{
"cpe": [
"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*",
"cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*",
"cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*",
"cpe:2.3:a:apache:log4j:3.0.0:beta3:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.21.0"
},
{
"fixed": "2.25.4"
},
{
"introduced": "3.0.0-beta1"
},
{
"last_affected": "3.0.0-beta1"
},
{
"introduced": "3.0.0-beta2"
},
{
"last_affected": "3.0.0-beta2"
},
{
"introduced": "3.0.0-beta3"
},
{
"last_affected": "3.0.0-beta3"
}
],
"source": [
"CPE_RANGE",
"CPE_STRING"
]
}