Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289321

Bug#1133360: log4net: CVE-2026-40021

Show all headers | View raw

Source: log4net
Version: 1.2.10+dfsg-9
Severity: important
Tags: security upstream
Forwarded: https://github.com/apache/logging-log4net/pull/280
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for log4net.

CVE-2026-40021[0]:
| Apache Log4net's  XmlLayout https://logging.apache.org/log4net/manua
| l/configuration/layouts.html#layout-list  and  XmlLayoutSchemaLog4J
| https://logging.apache.org/log4net/manual/configuration/layouts.html
| #layout-list , in versions before 3.3.0, fail to sanitize characters
| forbidden by the  XML 1.0 specification
| https://www.w3.org/TR/xml/#charsets  in MDC property keys and
| values, as well as the identity field that may carry attacker-
| influenced data. This causes an exception during serialization and
| the silent loss of the affected log event.  An attacker who can
| influence any of these fields can exploit this to suppress
| individual log records, impairing audit trails and detection of
| malicious activity.  Users are advised to upgrade to Apache Log4net
| 3.3.0, which fixes this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40021
    https://www.cve.org/CVERecord?id=CVE-2026-40021
[1] https://github.com/apache/logging-log4net/pull/280
[2] https://logging.apache.org/security.html#CVE-2026-40021

Regards,
Salvatore

Back to linux.debian.bugs.dist | Previous | Next | Find similar

Thread

Bug#1133360: log4net: CVE-2026-40021 Salvatore Bonaccorso <carnil@debian.org> - 2026-04-12 15:10 +0200

csiph-web