6.3
MEDIUM CVSS 4.0
CVE-2026-49844
Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
Description

Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. The defect is reachable only when both of the following conditions hold: * The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}). * The application logs a MapMessage that contains an attacker-controlled floating-point value. An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.

INFO

Published Date :

July 10, 2026, 10:16 p.m.

Last Modified :

July 10, 2026, 10:16 p.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2026-49844 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 4.0 MEDIUM f0158376-9dc2-43b6-827c-5f631a4d8d09
CVSS 4.0 MEDIUM [email protected]
Solution
Upgrade Apache Log4j API to a patched version to ensure compliant JSON output.
  • Upgrade Apache Log4j API to 2.25.5 or 2.26.1.
  • Ensure application uses JsonTemplateLayout or similar layouts.
  • Validate logging of MapMessages with floating-point values.
References to Advisories, Solutions, and Tools
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-49844 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-49844 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-49844 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-49844 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • New CVE Received by [email protected]

    Jul. 10, 2026

    Action Type Old Value New Value
    Added Affected [{'cpes': ['cpe:2.3:a:apache:log4j_api:*:*:*:*:*:*:*:*'], 'vendor': 'Apache Software Foundation', 'product': 'Apache Log4j API', 'versions': [{'status': 'affected', 'version': '2.13.1', 'lessThan': '2.25.5', 'versionType': 'maven'}, {'status': 'affected', 'version': '2.26.0', 'lessThan': '2.26.1', 'versionType': 'maven'}, {'status': 'affected', 'version': '3.0.0-alpha1', 'versionType': 'maven', 'lessThanOrEqual': '3.0.0-beta2'}], 'packageURL': 'pkg:maven/org.apache.logging.log4j/log4j-api', 'packageName': 'org.apache.logging.log4j:log4j-api', 'collectionURL': 'https://repo.maven.apache.org/maven2', 'defaultStatus': 'unaffected'}]
    Added Description Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: when a MapMessage contains a non-finite IEEE 754 value (NaN, Infinity, or -Infinity), MapMessage.asJson() emits the corresponding bare token. RFC 8259 does not permit these tokens, so a conformant parser rejects the resulting document. The defect is reachable only when both of the following conditions hold: * The application uses the message resolver https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message of JsonTemplateLayout or any other layout that relies on MapMessage.asJson() or MapMessage.getFormattedMessage(new String[]{"JSON"}). * The application logs a MapMessage that contains an attacker-controlled floating-point value. An attacker who can supply a non-finite value can cause the affected layout to emit malformed JSON, which may corrupt the enclosing log record or disrupt downstream log ingestion and parsing. Users are advised to upgrade to Apache Log4j API 2.25.5 or 2.26.1, both of which emit RFC 8259-compliant JSON for non-finite values.
    Added CVSS V4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CWE CWE-116
    Added Reference https://github.com/apache/logging-log4j2/pull/4163
    Added Reference https://logging.apache.org/cyclonedx/vdr.xml
    Added Reference https://logging.apache.org/log4j/2.x/manual/json-template-layout.html#event-template-resolver-message
    Added Reference https://logging.apache.org/security.html#CVE-2026-49844
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.