CVE-2026-34478 Overview
Apache Log4j Core's Rfc5424Layout in versions 2.21.0 through 2.25.3 is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. This vulnerability affects users of stream-based syslog services who configure Rfc5424Layout directly, potentially allowing attackers to inject malicious content into log streams.
Two distinct issues affect users:
- The newLineEscape attribute was silently renamed, causing newline escaping to stop working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
- The useTlsMessageFormat attribute was silently renamed, causing users of TLS framing (RFC 5425) to be silently downgraded to unframed TCP (RFC 6587), without newline escaping.
Critical Impact
Attackers can exploit CRLF injection to manipulate log files, forge log entries, perform log injection attacks, or bypass security controls that rely on log integrity. Users of TCP-based syslog services with direct Rfc5424Layout configuration are at risk.
Affected Products
- Apache Log4j Core 2.21.0 through 2.25.3
- Applications using Rfc5424Layout directly with stream-based syslog services
- Systems using TCP framing (RFC 6587) or TLS framing (RFC 5425)
Discovery Timeline
- April 10, 2026 - CVE-2026-34478 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34478
Vulnerability Analysis
This vulnerability is classified as CWE-117: Improper Output Neutralization for Logs. The core issue stems from silent attribute renames in the Rfc5424Layout component that broke security-critical functionality without user notification.
When the newLineEscape attribute was renamed, applications that previously relied on this configuration to sanitize newline characters in log messages no longer received this protection. This creates an opportunity for attackers to inject CRLF sequences (\r\n) into log data, which can be used to forge log entries or manipulate log processing systems.
Similarly, the renamed useTlsMessageFormat attribute caused an inadvertent downgrade from TLS framing to unframed TCP, compounding the security impact by removing both transport security expectations and newline escaping protections.
Root Cause
The root cause is improper handling of configuration attribute renames in the Apache Log4j Core codebase. Security-relevant configuration attributes (newLineEscape and useTlsMessageFormat) were renamed without proper deprecation notices, documentation updates, or backward compatibility measures. This caused silent failures in security mechanisms that users expected to be active based on their existing configurations.
Attack Vector
The vulnerability is exploitable over the network. An attacker who can influence log message content (such as through user input fields, HTTP headers, or other data sources that get logged) can inject CRLF sequences that are no longer properly escaped.
The attack scenario involves:
- The attacker identifies an application using Apache Log4j Core 2.21.0 - 2.25.3 with Rfc5424Layout
- The attacker supplies malicious input containing CRLF sequences to a field that gets logged
- Due to the broken newLineEscape configuration, the CRLF sequences pass through unescaped
- The attacker can forge additional log entries, manipulate log analysis tools, or inject commands into log processing pipelines
For detailed technical analysis of the configuration changes, refer to the GitHub Pull Request that addresses this issue.
Detection Methods for CVE-2026-34478
Indicators of Compromise
- Log entries containing unexpected newline characters or CRLF sequences
- Anomalous log formatting inconsistent with the RFC 5424 specification
- Unusual patterns in syslog streams indicating potential log injection
- Configuration files referencing old attribute names (newLineEscape, useTlsMessageFormat) that are no longer being honored
Detection Strategies
- Audit Log4j configurations for use of Rfc5424Layout with stream-based syslog appenders
- Scan application dependencies to identify Log4j Core versions between 2.21.0 and 2.25.3
- Monitor log output for malformed RFC 5424 messages or unexpected line breaks
- Review network traffic for unencrypted syslog data where TLS was expected
Monitoring Recommendations
- Implement log integrity monitoring to detect injected or forged log entries
- Set up alerts for Log4j configuration parsing warnings related to unrecognized attributes
- Monitor syslog receivers for malformed message patterns indicative of CRLF injection
- Track application dependency versions using Software Bill of Materials (SBOM) tools
How to Mitigate CVE-2026-34478
Immediate Actions Required
- Upgrade Apache Log4j Core to version 2.25.4 or later immediately
- Audit all applications using Rfc5424Layout with TCP or TLS-based syslog services
- Verify that newLineEscape and useTlsMessageFormat configurations are using the correct attribute names for your version
- Review log integrity for signs of exploitation during the vulnerable window
Patch Information
Apache has released Log4j Core 2.25.4 which corrects both configuration attribute issues. Users are strongly advised to upgrade to this version. The fix restores the expected behavior of newline escaping and TLS message formatting.
Additional resources:
Workarounds
- If immediate upgrade is not possible, switch to using SyslogAppender which is not affected by this vulnerability
- Implement additional input validation to strip CRLF sequences before data reaches logging components
- Consider temporarily switching to non-stream-based log transports until the upgrade can be completed
- Deploy network-level monitoring to detect CRLF injection attempts in syslog traffic
# Verify your Log4j Core version
find / -name "log4j-core*.jar" 2>/dev/null | xargs -I {} unzip -p {} META-INF/MANIFEST.MF | grep Implementation-Version
# Check for vulnerable Rfc5424Layout configurations
grep -r "Rfc5424Layout" /path/to/application/config/
# Update Log4j Core dependency in Maven pom.xml
# Change version to 2.25.4 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
