CVE-2026-34479
Description
The Log4j1XmlLayout from the Apache Log4j 1-to-Log4j 2 bridge fails to escape characters forbidden by the XML 1.0 standard, producing malformed XML output. Conforming XML parsers are required to reject documents containing such characters with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.
Two groups of users are affected:
- Those using Log4j1XmlLayout directly in a Log4j Core 2 configuration file.
- Those using the Log4j 1 configuration compatibility layer with org.apache.log4j.xml.XMLLayout specified as the layout class.
Users are advised to upgrade to Apache Log4j 1-to-Log4j 2 bridge version 2.25.4, which corrects this issue.
Note: The Apache Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3. Users are encouraged to consult the Log4j 1 to Log4j 2 migration guide https://logging.apache.org/log4j/2.x/migrate-from-log4j1.html , and specifically the section on eliminating reliance on the bridge.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.logging.log4j:log4j-1.2-apiMaven | >= 2.7, < 2.25.4 | 2.25.4 |
org.apache.logging.log4j:log4j-1.2-apiMaven | >= 3.0.0-beta1, <= 3.0.0-beta2 | — |
Affected products
104cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*range: >=2.7,<2.25.4
- cpe:2.3:a:apache:log4j:3.0.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:alpha1_rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:log4j:3.0.0:beta2:*:*:*:*:*:*
- osv-coords97 versionspkg:apk/chainguard/akhqpkg:apk/chainguard/celeborn-0.5pkg:apk/chainguard/celeborn-0.6pkg:apk/chainguard/commercial-elasticsearch-8.19pkg:apk/chainguard/commercial-elasticsearch-9.3pkg:apk/chainguard/commercial-elasticsearch-9.4pkg:apk/chainguard/druidpkg:apk/chainguard/elasticsearch-8.19pkg:apk/chainguard/elasticsearch-8.19-iamguardedpkg:apk/chainguard/elasticsearch-9.0pkg:apk/chainguard/elasticsearch-9.0-iamguardedpkg:apk/chainguard/elasticsearch-9.1pkg:apk/chainguard/elasticsearch-9.1-iamguardedpkg:apk/chainguard/elasticsearch-9.2pkg:apk/chainguard/elasticsearch-9.2-iamguardedpkg:apk/chainguard/elasticsearch-9.3pkg:apk/chainguard/elasticsearch-9.3-iamguardedpkg:apk/chainguard/elasticsearch-fips-8.19pkg:apk/chainguard/elasticsearch-fips-9.0pkg:apk/chainguard/elasticsearch-fips-9.0-bitnamipkg:apk/chainguard/elasticsearch-fips-9.1pkg:apk/chainguard/elasticsearch-fips-9.2pkg:apk/chainguard/elasticsearch-fips-9.3pkg:apk/chainguard/flink-1.19pkg:apk/chainguard/flink-1.20pkg:apk/chainguard/flink-2.0pkg:apk/chainguard/flink-2.1pkg:apk/chainguard/flink-2.2pkg:apk/chainguard/geoserver-2.27pkg:apk/chainguard/geoserver-2.28pkg:apk/chainguard/kafka-4.0pkg:apk/chainguard/kafka-4.1pkg:apk/chainguard/kafka-4.2pkg:apk/chainguard/kafka-fips-4.1pkg:apk/chainguard/kafka-fips-4.2pkg:apk/chainguard/kserve-modelmeshpkg:apk/chainguard/logstash-8.19pkg:apk/chainguard/logstash-8.19-iamguarded-compatpkg:apk/chainguard/logstash-8.19-with-output-opensearchpkg:apk/chainguard/logstash-9.0pkg:apk/chainguard/logstash-9.0-iamguarded-compatpkg:apk/chainguard/logstash-9.0-with-output-opensearchpkg:apk/chainguard/logstash-9.1pkg:apk/chainguard/logstash-9.1-bitnami-compatpkg:apk/chainguard/logstash-9.1-iamguarded-compatpkg:apk/chainguard/logstash-9.1-with-output-opensearchpkg:apk/chainguard/logstash-9.3pkg:apk/chainguard/logstash-9.3-iamguarded-compatpkg:apk/chainguard/logstash-9.4pkg:apk/chainguard/logstash-9.4-iamguarded-compatpkg:apk/chainguard/logstash-fips-9.4pkg:apk/chainguard/logstash-fips-9.4-iamguarded-compatpkg:apk/chainguard/nuxeo-2023pkg:apk/chainguard/opensearch-2-crypto-kmspkg:apk/chainguard/opensearch-2-discovery-azure-classicpkg:apk/chainguard/opensearch-2-discovery-ec2pkg:apk/chainguard/opensearch-2-discovery-gcepkg:apk/chainguard/opensearch-2-repository-gcspkg:apk/chainguard/opensearch-2-repository-s3pkg:apk/chainguard/pinotpkg:apk/chainguard/pinot-fipspkg:apk/chainguard/solr-10pkg:apk/chainguard/solr-9pkg:apk/chainguard/spark-4.0-scala-2.13pkg:apk/chainguard/spark-4.1-scala-2.13pkg:apk/chainguard/spark-fips-4.1-scala-2.13pkg:apk/wolfi/akhqpkg:apk/wolfi/celeborn-0.5pkg:apk/wolfi/celeborn-0.6pkg:apk/wolfi/druidpkg:apk/wolfi/flink-1.20pkg:apk/wolfi/flink-2.0pkg:apk/wolfi/flink-2.1pkg:apk/wolfi/flink-2.2pkg:apk/wolfi/kafka-4.0pkg:apk/wolfi/kafka-4.1pkg:apk/wolfi/kafka-4.2pkg:apk/wolfi/kserve-modelmeshpkg:apk/wolfi/logstash-9.1pkg:apk/wolfi/logstash-9.1-bitnami-compatpkg:apk/wolfi/logstash-9.1-iamguarded-compatpkg:apk/wolfi/logstash-9.1-with-output-opensearchpkg:apk/wolfi/logstash-9.3pkg:apk/wolfi/logstash-9.3-iamguarded-compatpkg:apk/wolfi/logstash-9.4pkg:apk/wolfi/logstash-9.4-iamguarded-compatpkg:apk/wolfi/opensearch-2-crypto-kmspkg:apk/wolfi/opensearch-2-discovery-azure-classicpkg:apk/wolfi/opensearch-2-discovery-ec2pkg:apk/wolfi/opensearch-2-discovery-gcepkg:apk/wolfi/opensearch-2-repository-gcspkg:apk/wolfi/opensearch-2-repository-s3pkg:apk/wolfi/solr-10pkg:apk/wolfi/spark-4.0-scala-2.13pkg:apk/wolfi/spark-4.1-scala-2.13pkg:maven/org.apache.logging.log4j/log4j-1.2-apipkg:rpm/opensuse/log4j&distro=openSUSE%20Tumbleweed
< 0.27.0-r2+ 96 more
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.5.4-r22
- (no CPE)range: < 0.6.3-r1
- (no CPE)range: < 8.19.16-r0
- (no CPE)range: < 9.3.5-r0
- (no CPE)range: < 9.4.2-r0
- (no CPE)range: < 36.0.0-r15
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 8.19.14-r2
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.0.8-r10
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.1.10-r4
- (no CPE)range: < 9.2.8-r2
- (no CPE)range: < 9.2.8-r2
- (no CPE)range: < 9.3.3-r2
- (no CPE)range: < 9.3.3-r2
- (no CPE)range: < 8.19.13-r4
- (no CPE)range: < 9.0.8-r17
- (no CPE)range: < 9.0.8-r17
- (no CPE)range: < 9.1.10-r10
- (no CPE)range: < 9.2.7-r5
- (no CPE)range: < 9.3.2-r5
- (no CPE)range: < 1.19.3-r5
- (no CPE)range: < 1.20.3-r4
- (no CPE)range: < 2.0.1-r6
- (no CPE)range: < 2.1.1-r4
- (no CPE)range: < 2.2.0-r5
- (no CPE)range: < 2.27.5-r6
- (no CPE)range: < 2.28.3-r5
- (no CPE)range: < 4.0.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.0-r5
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.1-r0
- (no CPE)range: < 0.12.0-r31
- (no CPE)range: < 8.19.14-r3
- (no CPE)range: < 8.19.14-r3
- (no CPE)range: < 8.19.14-r3
- (no CPE)range: < 9.0.8-r20
- (no CPE)range: < 9.0.8-r20
- (no CPE)range: < 9.0.8-r20
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 2023.40-r3
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 1.5.0-r1
- (no CPE)range: < 1.5.0-r1
- (no CPE)range: < 10.0.0-r1
- (no CPE)range: < 9.10.1-r2
- (no CPE)range: < 4.0.2-r11
- (no CPE)range: < 4.1.1-r15
- (no CPE)range: < 4.1.1-r13
- (no CPE)range: < 0.27.0-r2
- (no CPE)range: < 0.5.4-r22
- (no CPE)range: < 0.6.3-r1
- (no CPE)range: < 36.0.0-r15
- (no CPE)range: < 1.20.3-r4
- (no CPE)range: < 2.0.1-r6
- (no CPE)range: < 2.1.1-r4
- (no CPE)range: < 2.2.0-r5
- (no CPE)range: < 4.0.2-r2
- (no CPE)range: < 4.1.2-r2
- (no CPE)range: < 4.2.0-r5
- (no CPE)range: < 0.12.0-r31
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.1.10-r6
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.3.4-r4
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 9.4.1-r3
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 2.19.4-r14
- (no CPE)range: < 10.0.0-r1
- (no CPE)range: < 4.0.2-r11
- (no CPE)range: < 4.1.1-r15
- (no CPE)range: >= 2.7, < 2.25.4
- (no CPE)range: < 2.20.0-2.1
Patches
Vulnerability mechanics
References
8- github.com/apache/logging-log4j2/pull/4078nvdExploitIssue TrackingPatchWEB
- github.com/advisories/GHSA-h383-gmxw-35v2ghsaADVISORY
- logging.apache.org/cyclonedx/vdr.xmlnvdVendor AdvisoryWEB
- logging.apache.org/security.htmlnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-34479ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/04/10/8nvdMailing ListWEB
- lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5onnvdMailing ListWEB
- logging.apache.org/log4j/2.x/migrate-from-log4j1.htmlnvdMitigationWEB
News mentions
0No linked articles in our index yet.