Medium

CRLF Log Injection in Apache Log4j Core Rfc5424Layout

IdentifiersCVE-2026-34478CWE-117· Improper Output Neutralization for…

CVE-2026-34478 is a log injection vulnerability in Apache Log4j Core's Rfc5424Layout affecting versions 2.21.0 through 2.25.3, with supporting context also indicating impact to 3.0.0-beta1 through 3.0.0-beta3. The issue stems from undocumented renaming of security-relevant configuration attributes in Rfc5424Layout. Specifically, the newLineEscape attribute was silently renamed, which can cause newline escaping to stop functioning for deployments using TCP framing under RFC 6587. In a separate but related issue, the useTlsMessageFormat attribute was silently renamed, which can silently downgrade deployments intended to use TLS framing under RFC 5425 to unframed TCP under RFC 6587, also without newline escaping. In affected stream-based syslog deployments that configure Rfc5424Layout directly, attacker-controlled CRLF sequences can therefore be emitted into log output, enabling log injection. Apache stated that SyslogAppender users are not affected because its configuration attributes were not modified.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows injection of CRLF sequences into syslog output, which can enable log forging, log record splicing, audit trail corruption, and misleading or attacker-controlled entries in downstream logging and monitoring systems. In configurations intended to use TLS syslog framing, the silent downgrade to unframed TCP without newline escaping can further increase exposure by changing transport/framing behavior while preserving the appearance of a valid configuration. The primary security impact is integrity compromise of logs and audit records rather than direct code execution.

Mitigation

If you can’t patch tonight, do this now.

Until patching is completed, avoid direct use of Rfc5424Layout in affected stream-based syslog configurations where untrusted input may be logged. Prefer SyslogAppender where feasible, as Apache states SyslogAppender users are not affected. Validate whether newline escaping is actually occurring in emitted syslog messages and confirm whether TLS-framed deployments are truly using RFC 5425 rather than being downgraded to RFC 6587 behavior. Where possible, sanitize or reject CR and LF characters in attacker-controlled fields before logging.

Remediation

Patch, then assume compromise.

Upgrade Apache Log4j Core to version 2.25.4 or later. Apache states that 2.25.4 corrects the issue. Review existing Rfc5424Layout configurations for deprecated or silently renamed attributes, especially settings related to newline escaping and TLS message formatting, and validate that the deployed behavior matches the intended framing and escaping semantics after upgrade. If using affected 3.0.0 beta releases referenced in the supporting content, move to a fixed release once available in the relevant branch.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationLog4japplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyberthroneNews

Jun 19, 2026

The Vulnerabilities That Matter in Oracle’s June 2026 CSPU - TheCyberThrone

A vulnerability in Oracle Communications addressed as part of a consolidated fix bundled with CVE-2026-34481.

support hpeNews

May 22, 2026

HPESBNW05058 rev.1 - HPE Telco Universal SLA Management, Multiple Vulnerabilities

A high-severity vulnerability affecting HPE Telco Universal SLA Management 4.6 and earlier, associated with potential denial of service and/or CRLF injection impact according to the bulletin.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34478

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34478

MITRE CWE · CWE-117

Improper Output Neutralization for Logs

Patch

github.com/apache/logging-log4j2/pull/4074

Vendor Advisory

lists.apache.org/thread/3k1clr2l6vkdnl4cbhjrnt1nyjvb5gwt

Vendor Advisory

logging.apache.org/security.html

Third Party Advisory

openwall.com/lists/oss-security/2026/04/10/7

Product

logging.apache.org/cyclonedx/vdr.xml

Technical Description

logging.apache.org/log4j/2.x/manual/layouts.html