2457328 – (CVE-2026-34480) CVE-2026-34480 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging

Bug 2457328 (CVE-2026-34480) - CVE-2026-34480 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invalid XML output causes denial of service in logging

Summary: CVE-2026-34480 org.apache.logging.log4j/log4j-core: Apache Log4j Core: Invali...

Keywords:
Status:	NEW
Alias:	CVE-2026-34480
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2457886 2457889 2457890 2457885 2457887 2457888
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-10 16:02 UTC by OSIDB Bzimport
Modified:	2026-06-02 17:41 UTC (History)
CC List:	71 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2026:22619	0	None	None	None	2026-06-02 17:41:28 UTC

Description OSIDB Bzimport 2026-04-10 16:02:41 UTC

Apache Log4j Core's  XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the  XML 1.0 specification https://www.w3.org/TR/xml/#charsets  producing invalid XML output whenever a log message or MDC value contains such characters.

The impact depends on the StAX implementation in use:

  *  JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.
  *  Alternative StAX implementations (e.g.,  Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.


Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

Comment 2 errata-xmlrpc 2026-06-02 17:41:24 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.6.1

Via RHSA-2026:22619 https://access.redhat.com/errata/RHSA-2026:22619

Note You need to log in before you can comment on or make changes to this bug.

abrianik
alinfoot
aprice
asoldano
ataylor
bbaranow
bbrownin
bmaxwell
bstansbe
caswilli
chfoley
csutherl
dbruscin
dlofthou
drosa
dsoumis
dtrifiro
ewittman
fmariani
ggrzybek
gmalinko
istudens
ivassile
iweiss
janstey
jclere
jkoehler
jraez
jsamir
jwon
kaycoth
kgaikwad
kvanderr
lphiri
mcarlett
mnovotny
mosmerov
mstipich
msvehla
nipatil
nwallace
oezr
pantinor
parichar
pberan
pbizzarr
pdelbell
pesilva
pjindal
plodge
pmackay
rbryant
rexwhite
rgodfrey
rhel-process-autobot
rkubis
rmaucher
rstancel
rstepani
sausingh
smaestri
sthirugn
swoodman
szappis
tasato
tcunning
thjenkin
vdosoudi
watson-tool-maintainers
weaton
yfang