#1133368 log4cxx: CVE-2026-40023

Package:
src:log4cxx
Source:
src:log4cxx
Submitter:
Salvatore Bonaccorso
Date:
2026-05-13 02:47:30 UTC
Severity:
normal
Tags:
#1133368#5
Date:
2026-04-12 14:31:34 UTC
From:
To:
Hi,

The following vulnerability was published for log4cxx.

CVE-2026-40023[0]:
| Apache Log4cxx's  XMLLayout https://logging.apache.org/log4cxx/1.7.0
| /classlog4cxx_1_1xml_1_1XMLLayout.html , in versions before 1.7.0,
| fails to sanitize characters forbidden by the  XML 1.0 specification
| https://www.w3.org/TR/xml/#charsets  in log messages, NDC, and MDC
| property keys and values, producing invalid XML output. Conforming
| XML parsers must reject such documents with a fatal error, which may
| cause downstream log processing systems to drop or fail to index
| affected records.  An attacker who can influence logged data can
| exploit this to suppress individual log records, impairing audit
| trails and detection of malicious activity.  Users are advised to
| upgrade to Apache Log4cxx 1.7.0, which fixes this issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-40023
https://www.cve.org/CVERecord?id=CVE-2026-40023
[1] https://github.com/apache/logging-log4cxx/pull/609
[2] https://logging.apache.org/security.html#CVE-2026-40023

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore