Bug#1133847: apache-log4j2: CVE-2026-34480

Salvatore Bonaccorso carnil at debian.org
Tue Apr 14 21:43:40 BST 2026 

Source: apache-log4j2
Version: 2.19.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for apache-log4j2.

CVE-2026-34480[0]:
| Apache Log4j Core's  XmlLayout
| https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout ,
| in versions up to and including 2.25.3, fails to sanitize characters
| forbidden by the  XML 1.0 specification
| https://www.w3.org/TR/xml/#charsets  producing invalid XML output
| whenever a log message or MDC value contains such characters.  The
| impact depends on the StAX implementation in use:    *  JRE built-in
| StAX: Forbidden characters are silently written to the output,
| producing malformed XML. Conforming parsers must reject such
| documents with a fatal error, which may cause downstream log-
| processing systems to drop the affected records.   *  Alternative
| StAX implementations (e.g.,  Woodstox
| https://github.com/FasterXML/woodstox , a transitive dependency of
| the Jackson XML Dataformat module): An exception is thrown during
| the logging call, and the log event is never delivered to its
| intended appender, only to Log4j's internal status logger.   Users
| are advised to upgrade to Apache Log4j Core 2.25.4, which corrects
| this issue by sanitizing forbidden characters before XML output.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-34480
    https://www.cve.org/CVERecord?id=CVE-2026-34480
[1] https://lists.apache.org/thread/5x0hcnng0chhghp6jgjdp3qmbbhfjzhb
[2] https://logging.apache.org/security.html#CVE-2026-34480
[3] https://github.com/apache/logging-log4j2/pull/4077
[4] https://github.com/apache/logging-log4j2/commit/4f5014229825d8be977662e0743205bb8a67f989

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-java-maintainers mailing list