PT-2026-57319 · Apache · Log4J Api

Himanshu Anand

·

Published

2026-07-10

·

Updated

2026-07-11

·

CVE-2026-49844

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions Apache Log4j API versions 2.13.1 through 2.25.4 Apache Log4j API version 2.26.0
Description Improper encoding of non-finite IEEE 754 floating-point values (NaN, Infinity, or -Infinity) during MapMessage JSON serialization produces output that is not valid JSON. This occurs when MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}) is used, as they emit bare tokens not permitted by RFC 8259. The issue is reachable if an application uses the event template resolver of JsonTemplateLayout or any other layout relying on these methods and logs a MapMessage containing an attacker-controlled floating-point value. This can result in malformed JSON, potentially corrupting log records or disrupting downstream log ingestion and parsing.
Recommendations For versions 2.13.1 through 2.25.4, upgrade to Apache Log4j API 2.25.5. For version 2.26.0, upgrade to Apache Log4j API 2.26.1.

Fix

Improper Encoding or Escaping of Output

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49844

Affected Products

Log4J Api