MediumPublic exploit

Silent log event loss in Apache Log4j 1-to-Log4j 2 bridge Log4j1XmlLayout

IdentifiersCVE-2026-34479CWE-116· Improper Encoding or Escaping of…

CVE-2026-34479 is a moderate-severity vulnerability in the Apache Log4j 1-to-Log4j 2 bridge component, specifically in Log4j1XmlLayout. The layout fails to escape characters forbidden by the XML 1.0 standard, resulting in malformed XML output. Affected software is org.apache.logging.log4j:log4j-1.2-api in versions 2.7 through before 2.25.4, and 3.0.0-alpha1 through 3.0.0-beta2. Two affected usage patterns are identified: direct use of Log4j1XmlLayout in a Log4j Core 2 configuration, and use of the Log4j 1 compatibility layer with org.apache.log4j.xml.XMLLayout configured as the layout class. Because conforming XML parsers must reject documents containing forbidden XML 1.0 characters with a fatal error, malformed log output can break downstream parsing and processing.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful triggering of the flaw does not provide code execution, but can cause integrity and availability issues in logging pipelines. Log records containing forbidden XML 1.0 characters may be rejected by conforming XML parsers, causing downstream log processing, ingestion, or indexing systems to drop affected events, fail to parse them, or fail to index them. This can result in silent log event loss, reduced auditability, and gaps in monitoring, detection, forensic reconstruction, and compliance logging.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, reduce or eliminate reliance on the deprecated Log4j 1-to-Log4j 2 bridge. Avoid using Log4j1XmlLayout directly and avoid the Log4j 1 compatibility configuration path that specifies org.apache.log4j.xml.XMLLayout where feasible. Where operationally possible, switch to non-XML logging layouts or ensure downstream systems can tolerate or isolate malformed records until remediation is completed. Apache also recommends migrating away from the bridge entirely.

Remediation

Patch, then assume compromise.

Upgrade the Apache Log4j 1-to-Log4j 2 bridge package org.apache.logging.log4j:log4j-1.2-api to version 2.25.4 or later. Apache states that version 2.25.4 corrects the issue. Because the Log4j 1-to-Log4j 2 bridge is deprecated and will not be present in Log4j 3, users should also plan migration away from the bridge in accordance with Apache's Log4j 1 to Log4j 2 migration guidance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationLog4japplication

Apache Software FoundationLog4j 1 2 Apiapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cyberthroneNews

Jun 19, 2026

The Vulnerabilities That Matter in Oracle’s June 2026 CSPU - TheCyberThrone

A vulnerability in Oracle Communications addressed as part of a consolidated fix bundled with CVE-2026-34481.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-34479

NVD

nvd.nist.gov/vuln/detail/CVE-2026-34479

MITRE CWE · CWE-116

Improper Encoding or Escaping of Output

Patch

github.com/apache/logging-log4j2/pull/4078

Vendor Advisory

logging.apache.org/cyclonedx/vdr.xml

Vendor Advisory

logging.apache.org/security.html

Mitigation

logging.apache.org/log4j/2.x/migrate-from-log4j1.html

Mailing List

openwall.com/lists/oss-security/2026/04/10/8

Mailing List

lists.apache.org/thread/gd0hp6mj17rn3kj279vgy4p7kd4zz5on