Threat Advisory

Apache Log4j Flaw Breaks JSON Log Output with Non-Finite Floats

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Medium
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting Apache Log4j API versions The flaw hits log4j-api from 2 have been identified in Apache Software Foundation Apache Log4j API, which could impact the availability and integrity of logs. The flaws affect version 2.13.1 through 2.25.4 of log4j-api, as well as versions 2.26.0 and early 3.0.0 pre-releases.

CVE-2026-49844 (CVSS 6.3 — Medium): A vulnerability in Apache Log4j API allows an attacker to break JSON log output with a special number. The bug triggers when using JsonTemplateLayout or another layout that calls MapMessage.asJson and logging a MapMessage with an attacker-controlled float.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities affecting Apache Log4j API versions The flaw hits log4j-api from 2 have been identified in Apache Software Foundation Apache Log4j API, which could impact the availability and integrity of logs. The flaws affect version 2.13.1 through 2.25.4 of log4j-api, as well as versions 2.26.0 and early 3.0.0 pre-releases.

CVE-2026-49844 (CVSS 6.3 — Medium): A vulnerability in Apache Log4j API allows an attacker to break JSON log output with a special number. The bug triggers when using JsonTemplateLayout or another layout that calls MapMessage.asJson and logging a MapMessage with an attacker-controlled float.[emaillocker id="1283"]

CVE-2026-34481: description not provided in the article These vulnerabilities collectively present a risk of data corruption and loss due to invalid log output. These vulnerabilities collectively present a risk of data corruption and loss due to invalid log output.

These vulnerabilities collectively present a risk of data corruption and loss due to invalid log output. These vulnerabilities collectively present a risk of data corruption and loss due to invalid log output.

RECOMMENDATION:

We recommend you to update Apache Log4j API to version 2.25.5 or 2.26.1.

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu