Log4j Core Silent Attribute Renames Expose Syslog Deployments to CRLF Injection via Undocumented Configuration Changes

A critical vulnerability in Apache Log4j Core versions 2.21.0 through 2.25.3 has been identified in the Rfc5424Layout component, creating a CRLF injection pathway for organizations using stream-based syslog services. The flaw stems from undocumented renames of two security-critical configuration attributes that silently broke protections against log injection attacks. CVE-2026-34478, classified under CWE-117, affects only users who configure Rfc5424Layout directly; users of the SyslogAppender remain unaffected.

The first issue involves the newLineEscape attribute, which was silently renamed in affected versions. This caused newline escaping to fail for users of TCP framing compliant with RFC 6587, directly exposing their log output to CRLF injection. The second, potentially more severe issue involves the useTlsMessageFormat attribute, which was also renamed without documentation. Organizations using TLS framing per RFC 5425 were silently downgraded to unframed TCP (RFC 6587) without newline escaping protections, creating a compounding failure in both transport security and log integrity controls.

The vulnerability carries significant risk for environments where log integrity is operationally or regulatorily critical, including financial systems, healthcare platforms, and security monitoring infrastructure. Attackers who can inject CRLF sequences into logs may forge log entries, obscure forensic trails, or exploit log parsing systems. Administrators are advised to upgrade immediately to Apache Log4j Core 2.25.4, which restores the correct attribute names and re-enables newline escaping for affected transport configurations. Organizations unable to patch immediately should audit Rfc5424Layout configurations for explicit attribute usage and verify that log aggregation systems sanitize newline characters in inbound syslog streams.