Skip to main content

Apache CVE-2026-40021

| EUVDEUVD-2026-21488 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-04-10 apache GHSA-4f7c-pmjv-c25w
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21488
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
Patch released
Apr 10, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 10, 2026 - 15:44 nvd
MEDIUM 6.3

DescriptionCVE.org

Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.

An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.

AnalysisAI

Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.

Technical ContextAI

Apache Log4net is a .NET-based logging framework that provides structured logging output in multiple formats, including XML. The XmlLayout and XmlLayoutSchemaLog4J serializers convert log events to XML but do not validate or escape characters that violate the XML 1.0 specification (defined at https://www.w3.org/TR/xml/#charsets). The vulnerability stems from incomplete input sanitization (CWE-116: Improper Encoding or Escaping of Output) in the handling of Mapped Diagnostic Context (MDC) properties and identity fields, which may be populated from user-controlled or attacker-influenced sources. When a forbidden character is encountered during serialization, the exception causes the entire log event to be silently dropped rather than being safely encoded or rejected.

RemediationAI

Vendor-released patch: Apache Log4net 3.3.0. Upgrade to version 3.3.0 or later immediately to receive the fix for improper character sanitization in XML serialization. For organizations unable to upgrade immediately, review logging configuration to determine if XmlLayout or XmlLayoutSchemaLog4J are in active use; if not required, disable these layout types and use alternative serialization formats (JSON, CSV, or plain text). Ensure input sources for MDC properties and identity fields are validated or restricted to prevent injection of XML-forbidden characters. Refer to the vendor advisory at https://logging.apache.org/security.html#CVE-2026-40021 and the upstream fix (GitHub PR #280) for additional context.

Vendor StatusVendor

SUSE

Severity: Low

Share

CVE-2026-40021 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy