PatchSiren cyber security CVE debrief
CVE-2026-34481 Apache CVE debrief
Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records. The vulnerability affects users of Apache Log4j who use JsonTemplateLayout and log MapMessages or objects directly, where the message contains an attacker-controlled floating-point value. An attacker can exploit this issue only if the application uses JsonTemplateLayout and logs a MapMessage or an object directly with an attacker-controlled floating-point value.
- Vendor
- Apache
- Product
- Log4j
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-10
- Original CVE updated
- 2026-07-11
- Advisory published
- 2026-04-10
- Advisory updated
- 2026-07-11
Who should care
Users of Apache Log4j who use JsonTemplateLayout and log MapMessages or objects directly, where the message contains an attacker-controlled floating-point value, should be aware of this issue and take steps to mitigate it. This includes reviewing logging configurations, monitoring logs for potential issues, and upgrading to a fixed version of Apache Log4j.
Technical summary
Apache Log4j's JsonTemplateLayout, in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity). An attacker can exploit this issue only if the application uses JsonTemplateLayout and logs a MapMessage or an object directly with an attacker-controlled floating-point value. Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4 or later to correct this issue. Note that the fix released in version 2.25.4 did not cover all affected code paths, and CVE-2026-49844 was assigned to the remaining issue.
Defensive priority
Medium priority should be given to updating Apache Log4j to version 2.25.4 or later, as this will help prevent potential issues with downstream log processing systems.
Recommended defensive actions
- Upgrade to Apache Log4j JSON Template Layout 2.25.4 or later
- Review and update logging configurations to prevent logging of attacker-controlled floating-point values
- Monitor logs for potential issues with downstream log processing systems
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-04-10T16:16:31.663Z and was last modified on 2026-07-11T06:16:10.317Z. The NVD entry is currently Modified. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected systems and review vendor guidance for specific mitigation steps.
Official resources
-
CVE-2026-34481 CVE record
CVE.org
-
CVE-2026-34481 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Source reference
[email protected] - Product
-
Source reference
[email protected] - Technical Description
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-10T16:16:31.663Z and has not been modified since then.