vulnerability

Red Hat: CVE-2023-26464: log4j1-socketappender: DoS via hashmap logging

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
8	(AV:N/AC:L/Au:N/C:N/I:N/A:C)	Mar 10, 2023	Jul 9, 2025	Jul 10, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Mar 10, 2023

Added

Jul 9, 2025

Modified

Jul 10, 2025

Description

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Solution

no-fix-redhat-rpm-package

References

NVD-CVE-2023-26464

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today