CVE-2026-34481 Overview
Apache Log4j's JsonTemplateLayout component contains a vulnerability that produces invalid JSON output when log events contain non-finite floating-point values (NaN, Infinity, or -Infinity), which are prohibited by RFC 8259. This improper encoding of special characters (CWE-116) may cause downstream log processing systems to reject or fail to index affected records, potentially disrupting logging infrastructure and security monitoring capabilities.
An attacker can exploit this issue only when both of the following conditions are met: the application uses JsonTemplateLayout, and the application logs a MapMessage containing an attacker-controlled floating-point value. While the vulnerability requires specific conditions to exploit, successful attacks could undermine log integrity and monitoring systems.
Critical Impact
Applications using Apache Log4j JsonTemplateLayout with versions up to and including 2.25.3 may produce malformed JSON logs when processing attacker-controlled floating-point values, potentially causing log processing failures and loss of visibility into application behavior.
Affected Products
- Apache Log4j JSON Template Layout versions up to and including 2.25.3
- Applications using JsonTemplateLayout that log MapMessage objects with user-controlled floating-point data
Discovery Timeline
- April 10, 2026 - CVE-2026-34481 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34481
Vulnerability Analysis
This vulnerability stems from improper output encoding (CWE-116) within Apache Log4j's JsonTemplateLayout component. The core issue lies in how the layout handles special floating-point values that are valid in Java but prohibited by the JSON specification defined in RFC 8259.
When an application logs a MapMessage containing floating-point values such as Double.NaN, Double.POSITIVE_INFINITY, or Double.NEGATIVE_INFINITY, JsonTemplateLayout directly serializes these values into the JSON output without proper encoding or substitution. Since RFC 8259 explicitly prohibits these non-finite numeric values, the resulting JSON becomes technically invalid and may be rejected by downstream systems.
The attack surface requires that an attacker can influence floating-point values that get logged via MapMessage. This could occur through user-supplied data that triggers mathematical operations resulting in non-finite values, or through direct injection of such values where input validation is insufficient.
Root Cause
The root cause is improper output encoding in the JsonTemplateLayout class when serializing floating-point numbers. The component fails to validate or sanitize non-finite floating-point values before writing them to the JSON output stream. Rather than replacing invalid values with compliant alternatives (such as null or string representations), the layout writes the raw Java string representations directly, producing RFC 8259-violating output.
Attack Vector
The vulnerability is exploitable over the network but requires both high attack complexity and specific preconditions. An attacker must:
- Identify an application using Apache Log4j with JsonTemplateLayout configured
- Find an input vector that allows influencing floating-point values logged via MapMessage
- Supply values that result in NaN, Infinity, or -Infinity being logged (either directly or through mathematical operations like division by zero)
The attack's impact is primarily against downstream log processing infrastructure rather than the application itself. Successful exploitation could cause log aggregation systems (such as Elasticsearch, Splunk, or custom SIEM solutions) to reject malformed records, creating gaps in security visibility.
The vulnerability mechanism involves improper handling of special floating-point values during JSON serialization. When a MapMessage contains values like Double.NaN or Double.POSITIVE_INFINITY, these are written directly to the JSON output. For example, a legitimate floating-point value would serialize correctly as valid JSON, but non-finite values are serialized in their raw Java string form (e.g., NaN or Infinity), which violates RFC 8259 that explicitly prohibits such values in JSON. For detailed technical information, see the GitHub Pull Request that addresses this issue.
Detection Methods for CVE-2026-34481
Indicators of Compromise
- JSON parsing errors in log aggregation systems (Elasticsearch, Splunk, Logstash) indicating malformed records
- Log entries containing literal NaN, Infinity, or -Infinity strings in JSON-formatted output
- Increased rate of rejected or failed log indexing operations in downstream processing systems
- Application logs showing MapMessage entries with suspicious or unusual floating-point values
Detection Strategies
- Monitor log aggregation pipelines for JSON parsing failures that may indicate malformed Log4j output
- Implement input validation monitoring to detect attempts to inject non-finite floating-point values
- Review application configurations to identify usage of JsonTemplateLayout in Log4j configurations
- Deploy SentinelOne agents to detect anomalous logging behavior and potential exploitation attempts
Monitoring Recommendations
- Configure alerts for spikes in log parsing errors at the log aggregation layer
- Implement application-level logging to track MapMessage usage patterns and detect suspicious floating-point inputs
- Use SentinelOne's behavioral AI to identify unusual application patterns that may indicate exploitation attempts
- Regularly audit Log4j configuration files (log4j2.xml, log4j2.properties) for JsonTemplateLayout usage
How to Mitigate CVE-2026-34481
Immediate Actions Required
- Upgrade Apache Log4j JSON Template Layout to version 2.25.4 or later, which corrects the non-finite floating-point handling
- Audit applications to identify any using JsonTemplateLayout with MapMessage logging of user-controlled data
- Implement input validation to reject or sanitize non-finite floating-point values before they reach logging code
- Consider temporarily switching to alternative layout formats if immediate patching is not feasible
Patch Information
Apache has released Log4j JSON Template Layout version 2.25.4 to address this vulnerability. The patch ensures that non-finite floating-point values are properly handled according to RFC 8259 compliance requirements. Users should upgrade all affected Log4j installations to this version.
For detailed patch information, consult the Apache Security Advisory for CVE-2026-34481 and the GitHub Pull Request #4080.
Additional resources:
Workarounds
- Implement application-level input validation to filter non-finite floating-point values before logging
- Switch to alternative Log4j layout formats (such as PatternLayout or XMLLayout) that handle non-finite values differently
- Deploy downstream JSON validation or sanitization in log processing pipelines to handle malformed records gracefully
- Consider wrapping floating-point logging operations with explicit checks for Double.isFinite() before logging
# Example: Check Log4j version and configuration
# Identify Log4j JAR versions in your application
find /path/to/application -name "log4j-*.jar" -exec basename {} \;
# Search for JsonTemplateLayout usage in configuration files
grep -r "JsonTemplateLayout" /path/to/application/config/
# Verify updated version after patching
java -cp "log4j-core-2.25.4.jar:log4j-api-2.25.4.jar" org.apache.logging.log4j.util.Log4jVersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
