PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49844 Apache Software Foundation CVE debrief

CVE-2026-49844 involves improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API, producing output that is not valid JSON. This defect is reachable when an application uses the message resolver of JsonTemplateLayout or other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage and logs a MapMessage with an attacker-controlled floating-point value. The likely operational impact includes disruption of downstream log ingestion and parsing. The source confidence is high based on the official CVE record and NVD details.

Vendor
Apache Software Foundation
Product
Apache Log4j API
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0 should upgrade to Apache Log4j API 2.25.5 or 2.26.1. Affected operators include developers and administrators responsible for logging and log management. The vulnerability management team should review the official advisory and assess the exposure of their Log4j API deployments. Security teams should monitor logs for potential attacker-controlled floating-point values.

Technical summary

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. The defect is reachable only when both of the following conditions hold: The application uses the message resolver of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage. The application logs a MapMessage that contains an attacker-controlled floating-point value. The issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0.

Defensive priority

Upgrade to Apache Log4j API 2.25.5 or 2.26.1 and review application use of JsonTemplateLayout and other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage

Recommended defensive actions

  • Upgrade to Apache Log4j API 2.25.5 or 2.26.1
  • Review application use of JsonTemplateLayout and other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage
  • Monitor logs for potential attacker-controlled floating-point values
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. This issue is related to the encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API, which produces output that is not valid JSON. Users should verify the affected scope and validate the input to prevent potential attacks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:42.540Z and has not been modified since then.