2457317 – (CVE-2026-40023) CVE-2026-40023 Apache Log4cxx: Apache Log4cxx: Log processing impairment due to unsanitized XML characters

Bug 2457317 (CVE-2026-40023) - CVE-2026-40023 Apache Log4cxx: Apache Log4cxx: Log processing impairment due to unsanitized XML characters

Summary: CVE-2026-40023 Apache Log4cxx: Apache Log4cxx: Log processing impairment due ...

Keywords:
Status:	NEW
Alias:	CVE-2026-40023
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457922 2457923
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-10 16:01 UTC by OSIDB Bzimport
Modified:	2026-04-13 17:08 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-10 16:01:52 UTC

Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.

Note You need to log in before you can comment on or make changes to this bug.