Skip to content

Add CVE-2026-49844 and update CVE-2026-34481#40

Merged
ppkarwasz merged 2 commits into
mainfrom
add-cve-2026-49844
Jul 10, 2026
Merged

Add CVE-2026-49844 and update CVE-2026-34481#40
ppkarwasz merged 2 commits into
mainfrom
add-cve-2026-49844

Conversation

@ppkarwasz

Copy link
Copy Markdown
Member

CVE-2026-49844 covers the MapMessage.asJson() code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects log4j-api [2.13.1, 2.25.5), [2.26.0, 2.26.1) and [3.0.0-alpha1, 3.0.0-beta2], and is fixed in 2.25.5 and 2.26.1.

CVE-2026-34481 is amended to note that an ObjectMessage, e.g. one produced by Logger.info(Object), is also affected, and to point at the follow-up CVE.

Add a log4j-api dummy component to the VDR, bump the BOM version and refresh the affected updated elements.

Assisted-By: Claude Opus 4.8 (1M context) [email protected]

CVE-2026-49844 covers the `MapMessage.asJson()` code path in Log4j API that the CVE-2026-34481 fix in JSON Template Layout 2.25.4 did not reach. It affects `log4j-api` `[2.13.1, 2.25.5)`, `[2.26.0, 2.26.1)` and `[3.0.0-alpha1, 3.0.0-beta2]`, and is fixed in 2.25.5 and 2.26.1.

CVE-2026-34481 is amended to note that an `ObjectMessage`, e.g. one produced by `Logger.info(Object)`, is also affected, and to point at the follow-up CVE.

Add a `log4j-api` dummy component to the VDR, bump the BOM version and refresh the affected `updated` elements.

Assisted-By: Claude Opus 4.8 (1M context) <[email protected]>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Logging Services vulnerability disclosures by adding a new CVE entry for an uncovered Log4j API JSON serialization code path, and by amending the prior CVE to reference the follow-up issue and impacted message types.

Changes:

  • Added CVE-2026-49844 to both the CycloneDX VDR and the Antora vulnerabilities page, including affected/fixed version ranges.
  • Updated CVE-2026-34481 text to clarify ObjectMessage impact and to point to CVE-2026-49844.
  • Bumped the VDR BOM version and refreshed timestamps/updated elements to reflect the changes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/site/static/cyclonedx/vdr.xml Bumps VDR version/timestamp, adds a dummy log4j-api component, adds CVE-2026-49844, and amends CVE-2026-34481.
src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc Adds a new CVE-2026-49844 section and updates CVE-2026-34481 description/remediation to reference the follow-up CVE.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/site/antora/modules/ROOT/pages/_vulnerabilities.adoc Outdated

@FreeAndNil FreeAndNil left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks.

@ppkarwasz ppkarwasz enabled auto-merge (squash) July 10, 2026 21:09
@ppkarwasz ppkarwasz merged commit 3dc5d36 into main Jul 10, 2026
4 checks passed
@ppkarwasz ppkarwasz deleted the add-cve-2026-49844 branch July 10, 2026 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants