Apache Log4j 1.x (EOL) allows DoS in Chainsaw and SocketAppender
Description
UNSUPPORTED WHEN ASSIGNED
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Log4j 1.x Chainsaw/SocketAppender DoS via deeply nested hashmap/hashtable deserialization (JRE < 1.7).
Vulnerability
CVE-2023-26464 is a denial-of-service vulnerability in Apache Log4j 1.x when using the Chainsaw or SocketAppender components on JRE versions earlier than 1.7. The root cause is improper handling of deeply nested hashmap or hashtable objects during deserialization, leading to memory exhaustion [2].
Exploitation
An attacker who can cause a logging entry containing a specially crafted, deeply nested hashmap or hashtable to be processed can trigger the vulnerability. No authentication is required if the attacker can inject log messages into a system using the affected components. The attack surface is limited to applications using Chainsaw or SocketAppender with Log4j 1.x [2].
Impact
Successful exploitation results in exhaustion of available memory in the Java virtual machine, causing a denial of service. The vulnerability does not affect Log4j 2.x, only the unsupported 1.x branch [2].
Mitigation
Apache Log4j 1.x is end-of-life and no longer supported. Users are strongly recommended to upgrade to Log4j 2.x, which is not affected by this issue. No official patch is available for the vulnerable versions [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.logging.log4j:log4j-coreMaven | >= 1.0.4, < 2.0 | 2.0 |
log4j:log4jMaven | >= 1.0.4, < 2.0 | 2.0 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/druid-compatpkg:apk/wolfi/druid-compatpkg:maven/log4j/log4jpkg:maven/org.apache.logging.log4j/log4j-core
< 34.0.0-r6+ 3 more
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: >= 1.0.4, < 2.0
- (no CPE)range: >= 1.0.4, < 2.0
- Apache Software Foundation/Apache Log4jv5Range: 1.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-vp98-w2p3-mv35ghsaADVISORY
- lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3tghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-26464ghsaADVISORY
- security.netapp.com/advisory/ntap-20230505-0008ghsaWEB
- security.netapp.com/advisory/ntap-20230505-0008/mitre
News mentions
0No linked articles in our index yet.