- CVE: CVE-2026-49844
- CVSS: 6.3 (Medium · CVSSv4)
- Product: Apache Software Foundation Apache Log4j API
- Affected: 2.13.1, 2.26.0, 3.0.0-alpha1
- Impact: Apache Log4j API: Improper serialization of non-finite floating-point values in MapMessage.asJson()
- Status: No confirmed exploitation yet
- Patched in: 2.25.5, 2.26.1
- EPSS: 0.8% (30-day)
- Action: Update to 2.25.5, 2.26.1 now
TL;DR
Apache has patched a new flaw in Apache Log4j, tracked as CVE-2026-49844. The bug lets an attacker break JSON log output with one special number. It affects the log4j-api component and rates 6.3, or medium, on CVSS 4.0.
Why it matters
Logs are your audit trail. If an attacker corrupts them, your alerts can vanish. This flaw can jam log pipelines and hide malicious activity from downstream tools. So the real impact is availability and integrity, not code execution.
How the attack works
The issue sits in how Apache Log4j serializes numbers to JSON. When a MapMessage holds a non-finite value like NaN or Infinity, the layout writes that bare token. However, JSON does not allow those tokens. As a result, strict parsers reject the record, and downstream ingestion can fail.
The bug triggers only under two conditions. First, the app must use JsonTemplateLayout or another layout that calls MapMessage.asJson(). Second, it must log a MapMessage with an attacker-controlled float. Notably, this patch also closes a gap left by the earlier CVE-2026-34481.
Exploitation status
No public proof-of-concept exists for CVE-2026-49844. Researchers have not confirmed any attacks in the wild. The related issue also scores below 1% on EPSS and stays absent from the CISA KEV list.
Affected versions
The flaw hits log4j-api from 2.13.1 through 2.25.4. It also affects version 2.26.0 and early 3.0.0 pre-releases. Apache fixed it in 2.25.5 and 2.26.1.
How to patch
Upgrade without delay. Move to 2.25.5 or 2.26.1, since both emit valid JSON for these values. You can grab the fixed builds from the Apache Log4j download page. For full details, read Apache’s security advisory. If you cannot patch yet, reject non-finite floats before they reach a logger.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.