PatchSiren cyber security CVE debrief
CVE-2026-49844 Apache Software Foundation CVE debrief
CVE-2026-49844 involves improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API, producing output that is not valid JSON. This defect is reachable when an application uses the message resolver of JsonTemplateLayout or other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage and logs a MapMessage with an attacker-controlled floating-point value. The likely operational impact includes disruption of downstream log ingestion and parsing. The source confidence is high based on the official CVE record and NVD details.
- Vendor
- Apache Software Foundation
- Product
- Apache Log4j API
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0 should upgrade to Apache Log4j API 2.25.5 or 2.26.1. Affected operators include developers and administrators responsible for logging and log management. The vulnerability management team should review the official advisory and assess the exposure of their Log4j API deployments. Security teams should monitor logs for potential attacker-controlled floating-point values.
Technical summary
Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. The defect is reachable only when both of the following conditions hold: The application uses the message resolver of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage. The application logs a MapMessage that contains an attacker-controlled floating-point value. The issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0.
Defensive priority
Upgrade to Apache Log4j API 2.25.5 or 2.26.1 and review application use of JsonTemplateLayout and other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage
Recommended defensive actions
- Upgrade to Apache Log4j API 2.25.5 or 2.26.1
- Review application use of JsonTemplateLayout and other layouts that rely on MapMessage.asJson() or MapMessage.getFormattedMessage
- Monitor logs for potential attacker-controlled floating-point values
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. This issue is related to the encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API, which produces output that is not valid JSON. Users should verify the affected scope and validate the input to prevent potential attacks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:42.540Z and has not been modified since then.