CVE-2026-34481

EUVD-2026-21412

10.04.2026, 16:16

Apache Log4j's  JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This may cause downstream log processing systems to reject or fail to index affected records.

An attacker can exploit this issue only if both of the following conditions are met:

  *  The application uses JsonTemplateLayout.
  *  The application logs a MapMessage containing an attacker-controlled floating-point value.


Users are advised to upgrade to Apache Log4j JSON Template Layout 2.25.4, which corrects this issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
apache	log4j	2.14.0 ≤ 𝑥 < 2.25.4
apache	log4j	3.0.0:alpha1
apache	log4j	3.0.0:alpha1_rc1
apache	log4j	3.0.0:alpha1_rc2
apache	log4j	3.0.0:beta1
apache	log4j	3.0.0:beta2
apache	log4j	3.0.0:beta3

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

log4j

suse enterprise desktop 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise sap 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP4	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP7	2.20.0-150200.4.33.1 fixed

log4j-javadoc

suse enterprise desktop 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise sap 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP4	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP7	2.20.0-150200.4.33.1 fixed

log4j-jcl

suse enterprise desktop 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise sap 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP4	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP7	2.20.0-150200.4.33.1 fixed

log4j-slf4j

suse enterprise desktop 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise sap 15 SP7	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP4	2.20.0-150200.4.33.1 fixed
suse enterprise server 15 SP7	2.20.0-150200.4.33.1 fixed

Common Weakness Enumeration

CWE-116 - Improper Encoding or Escaping of Output
The software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References

https://github.com/apache/logging-log4j2/pull/4080

https://lists.apache.org/thread/n34zdv00gbkdbzt2rx9rf5mqz6lhopcv

https://logging.apache.org/cyclonedx/vdr.xml

https://logging.apache.org/log4j/2.x/manual/json-template-layout.html

https://logging.apache.org/security.html#CVE-2026-34481

http://www.openwall.com/lists/oss-security/2026/04/10/10