Severity
6.9MEDIUM
EPSS
0.1%
top 65.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedApr 10
Latest updateApr 13
Description
Apache Log4j Core's Rfc5424Layout https://logging.apache.org/log4j/2.x/manual/layouts.html#RFC5424Layout , in versions 2.21.0 through 2.25.3, is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes.
Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:
* The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587)…
CVSS vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
Affected Packages2 packages
🔴Vulnerability Details
3📋Vendor Advisories
1Red Hat▶
org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames↗2026-04-10
💬Community
7Bugzilla▶
CVE-2026-34478 apache-commons-configuration: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34478 flexmark-java: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34478 ceph: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34478 log4j: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [fedora-all]↗2026-04-13
Bugzilla▶
CVE-2026-34478 resteasy: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames [fedora-all]↗2026-04-13