Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.
An attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.
Users are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue.
AnalysisAI
Apache Log4net versions before 3.3.0 fail to sanitize XML 1.0-forbidden characters in MDC property keys and values, as well as identity fields, causing serialization exceptions that silently drop log events when XmlLayout or XmlLayoutSchemaLog4J are in use. An attacker who can influence these fields can suppress individual audit log records, impairing detection of malicious activity. No public exploit code or active exploitation has been confirmed; patch is available from the vendor.
Technical ContextAI
Apache Log4net is a .NET-based logging framework that provides structured logging output in multiple formats, including XML. The XmlLayout and XmlLayoutSchemaLog4J serializers convert log events to XML but do not validate or escape characters that violate the XML 1.0 specification (defined at https://www.w3.org/TR/xml/#charsets). The vulnerability stems from incomplete input sanitization (CWE-116: Improper Encoding or Escaping of Output) in the handling of Mapped Diagnostic Context (MDC) properties and identity fields, which may be populated from user-controlled or attacker-influenced sources. When a forbidden character is encountered during serialization, the exception causes the entire log event to be silently dropped rather than being safely encoded or rejected.
RemediationAI
Vendor-released patch: Apache Log4net 3.3.0. Upgrade to version 3.3.0 or later immediately to receive the fix for improper character sanitization in XML serialization. For organizations unable to upgrade immediately, review logging configuration to determine if XmlLayout or XmlLayoutSchemaLog4J are in active use; if not required, disable these layout types and use alternative serialization formats (JSON, CSV, or plain text). Ensure input sources for MDC properties and identity fields are validated or restricted to prevent injection of XML-forbidden characters. Refer to the vendor advisory at https://logging.apache.org/security.html#CVE-2026-40021 and the upstream fix (GitHub PR #280) for additional context.
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: LowShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21488
GHSA-4f7c-pmjv-c25w