Skip to main content

Apache CVE-2026-40023

| EUVDEUVD-2026-21490 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-04-10 apache
6.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Apr 10, 2026 - 16:00 euvd
EUVD-2026-21490
Analysis Generated
Apr 10, 2026 - 16:00 vuln.today
Patch released
Apr 10, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 10, 2026 - 15:45 nvd
MEDIUM 6.3

DescriptionCVE.org

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in log messages, NDC, and MDC property keys and values, producing invalid XML output. Conforming XML parsers must reject such documents with a fatal error, which may cause downstream log processing systems to drop or fail to index affected records.

An attacker who can influence logged data can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.

Users are advised to upgrade to Apache Log4cxx 1.7.0, which fixes this issue.

AnalysisAI

Apache Log4cxx XMLLayout before version 1.7.0 fails to sanitize XML-forbidden characters in log messages, NDC (Nested Diagnostic Context), and MDC (Mapped Diagnostic Context) properties, producing malformed XML that conforming parsers reject with fatal errors. Attackers who can influence logged data can exploit this to suppress individual log records, degrading audit trails and impairing detection of malicious activity. The vulnerability affects all versions prior to 1.7.0 across multiple distri

Technical ContextAI

Apache Log4cxx is a C++ logging library implementing XML-based log output through its XMLLayout component. The XML 1.0 specification (W3C TR-xml) defines a restricted character set; specifically, characters in the range 0x00-0x08, 0x0B-0x0C, 0x0E-0x1F, and unpaired surrogates are forbidden in XML documents. XMLLayout formats log records as XML elements but did not validate or escape these forbidden characters when rendering message content, NDC stacks, or MDC property key-value pairs. When a log entry contains such characters, the generated XML becomes non-well-formed. Any XML 1.0 compliant parser (DOM, SAX, or streaming) must reject the document with a fatal parse error per XML specification section 4.2 (Well-Formedness Constraints). This causes downstream log processing pipelines-SIEM systems, log aggregators (ELK, Splunk, etc.), or indexing services-to silently drop or fail-parse affected records. The root cause is improper input validation and encoding (CWE-116: Improper Encoding or Escaping of Output). This is distinct from XML injection (CWE-91) because it does not exploit parser state machines but rather violates the character set specification itself.

RemediationAI

Vendor-released patch: Apache Log4cxx 1.7.0. Upgrade all installations of log4cxx to version 1.7.0 or later immediately if using XMLLayout. Users can verify the installed version via the library's version header or package manager metadata (rpm -q log4cxx, dpkg -l | grep log4cxx, brew list --versions log4cxx, or conan search log4cxx). Until patching is possible, audit the use of XMLLayout in the codebase; if alternative layouts (PatternLayout, JSONLayout, or other non-XML formats) are acceptable for your logging pipeline, switching away from XMLLayout eliminates the vulnerability entirely. If XMLLayout is mandatory, implement application-level input sanitization upstream of the logger to strip or escape control characters from user-influenced input before logging, though this is a workaround and not a substitute for patching. Refer to the upstream PR https://github.com/apache/logging-log4cxx/pull/609 and the full advisory at https://lists.apache.org/thread/y15cv3zblg3dfwr5vy6ddbnl4zyrzr8b for technical details and deployment guidance.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40023 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy