It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CVE-2021-45046
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-05-01), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 9.0 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 9.0
- EG Score
- 9.0(high)
- EPSS
- 100.0%
- KEV
- ⚠ Exploited
Published
December 14, 2021
Last Modified
October 27, 2025
Advisory Details (6)
Auto-updated Jun 2, 2026[SECURITY] Fedora 35 Update: log4j-2.17.0-1.fc35 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SIG7FZULMNK2XF6FZRU4VWYDQXNMUGAJ/[SECURITY] Fedora 34 Update: log4j-2.17.0-1.fc34 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKPQGV24RRBBI4TBZUDQMM4MEH7MXCY/oss-security - Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
http://www.openwall.com/lists/oss-security/2021/12/18/1oss-security - Re: CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
http://www.openwall.com/lists/oss-security/2021/12/15/3oss-security - CVE-2021-45046: Apache Log4j2 Thread Context Message Pattern and Context Lookup Pattern vulnerable to a denial of service attack
http://www.openwall.com/lists/oss-security/2021/12/14/4Vendor Advisories for CVE-2021-45046(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2025:1747Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.3.12 security update
- RHSA-2025:1746Red Hat Product SecurityCritical
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.1.9 on RHEL 7 security update
- RHSA-2022:1299Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1297Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:1296Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4.4 security update
- RHSA-2022:0223Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Integration Camel-K 1.6.3 release and security update
- RHSA-2022:0222Red Hat Product SecurityMedium
Red Hat Security Advisory: Red Hat Integration Camel Extensions for Quarkus 2.2 security update
- RHSA-2022:0216Red Hat Product SecurityLow
Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.4 security update
- +12 more
Patch Availability(18)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(2 across 1 ecosystem)
Maven(2)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.logging.log4j:log4j-core | 2.0 ... 2.9.1 (39 versions) | 2.12.2 | — |
| org.ops4j.pax.logging:pax-logging-log4j2 | 2.0.0 ... 2.0.9 (12 versions) | 2.0.12 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(3)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
Data Freshness Timeline
(refreshed 84× in last 7d / 353× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 502 total refreshes for this CVE.
- 2026-07-12 01:01 UTCEG score recompute
- 2026-07-12 01:01 UTCVendor advisory
- 2026-07-11 20:49 UTCEG score recompute
- 2026-07-11 20:49 UTCVendor advisory
- 2026-07-11 16:37 UTCEG score recompute
- 2026-07-11 16:37 UTCVendor advisory
- 2026-07-11 12:25 UTCEG score recompute
- 2026-07-11 12:25 UTCVendor advisory
- 2026-07-11 08:12 UTCEG score recompute
- 2026-07-11 08:12 UTCVendor advisory
- 2026-07-11 04:00 UTCEG score recompute
- 2026-07-11 04:00 UTCVendor advisory
- 2026-07-10 23:48 UTCEG score recompute
- 2026-07-10 23:48 UTCVendor advisory
- 2026-07-10 19:35 UTCEG score recompute
- 2026-07-10 19:35 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 15:22 UTCEG score recompute
- 2026-07-10 15:22 UTCVendor advisory
- 2026-07-10 11:08 UTCEG score recompute
- 2026-07-10 11:08 UTCVendor advisory
- 2026-07-10 06:56 UTCEG score recompute
- 2026-07-10 06:56 UTCVendor advisory
- 2026-07-10 02:43 UTCEG score recompute
- 2026-07-10 02:43 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-09 22:30 UTCEG score recompute
- 2026-07-09 22:30 UTCVendor advisory
- 2026-07-09 19:07 UTCEPSS rescore
- 2026-07-09 18:18 UTCEG score recompute
- 2026-07-09 18:18 UTCVendor advisory
- 2026-07-09 14:06 UTCEG score recompute
- 2026-07-09 14:06 UTCVendor advisory
- 2026-07-09 09:54 UTCEG score recompute
- 2026-07-09 09:54 UTCVendor advisory
- 2026-07-09 05:42 UTCEG score recompute
- 2026-07-09 05:42 UTCVendor advisory
- 2026-07-09 01:30 UTCEG score recompute
- 2026-07-09 01:30 UTCVendor advisory
- 2026-07-08 21:17 UTCEG score recompute
- 2026-07-08 21:17 UTCVendor advisory
- 2026-07-08 17:03 UTCEG score recompute
- 2026-07-08 17:03 UTCVendor advisory
- 2026-07-08 12:51 UTCEG score recompute
- 2026-07-08 12:51 UTCVendor advisory
- 2026-07-08 08:39 UTCEG score recompute
- 2026-07-08 08:39 UTCVendor advisory
- 2026-07-08 04:25 UTCEG score recompute
- 2026-07-08 04:25 UTCVendor advisory
- 2026-07-08 00:11 UTCEG score recompute
- 2026-07-08 00:11 UTCVendor advisory
- 2026-07-07 19:58 UTCEG score recompute
- 2026-07-07 19:58 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 15:45 UTCEG score recompute
- 2026-07-07 15:45 UTCVendor advisory
- 2026-07-07 11:32 UTCEG score recompute
- 2026-07-07 11:32 UTCVendor advisory
- 2026-07-07 07:20 UTCEG score recompute
- 2026-07-07 07:20 UTCVendor advisory
- 2026-07-07 03:07 UTCEG score recompute
- 2026-07-07 03:07 UTCVendor advisory
- 2026-07-06 22:52 UTCEG score recompute
- 2026-07-06 22:52 UTCVendor advisory
- 2026-07-06 18:39 UTCEG score recompute
- 2026-07-06 18:39 UTCVendor advisory
- 2026-07-06 14:26 UTCEG score recompute
- 2026-07-06 14:26 UTCVendor advisory
- 2026-07-06 10:12 UTCEG score recompute
- 2026-07-06 10:12 UTCVendor advisory
- 2026-07-06 05:59 UTCEG score recompute
- 2026-07-06 05:59 UTCVendor advisory
- 2026-07-06 01:46 UTCEG score recompute
- 2026-07-06 01:46 UTCVendor advisory
- 2026-07-05 21:33 UTCEG score recompute
- 2026-07-05 21:33 UTCVendor advisory
- 2026-07-05 17:21 UTCEG score recompute
- 2026-07-05 17:21 UTCVendor advisory
- 2026-07-05 13:08 UTCEG score recompute
- 2026-07-05 13:08 UTCVendor advisory
- 2026-07-05 08:56 UTCEG score recompute
- 2026-07-05 08:56 UTCVendor advisory
- 2026-07-05 04:44 UTCEG score recompute
- 2026-07-05 04:44 UTCVendor advisory
- 2026-07-05 00:30 UTCEG score recompute
- 2026-07-05 00:30 UTCVendor advisory
- 2026-07-04 20:18 UTCEG score recompute
- 2026-07-04 20:18 UTCVendor advisory
- 2026-07-04 16:05 UTCEG score recompute
- 2026-07-04 16:05 UTCVendor advisory
- 2026-07-04 11:52 UTCEG score recompute
- 2026-07-04 11:52 UTCVendor advisory
- 2026-07-04 07:40 UTCEG score recompute
- 2026-07-04 07:40 UTCVendor advisory
- 2026-07-04 03:25 UTCEG score recompute
- 2026-07-04 03:25 UTCVendor advisory
- 2026-07-03 23:12 UTCEG score recompute
- 2026-07-03 23:12 UTCVendor advisory
- 2026-07-03 18:59 UTCEG score recompute
- 2026-07-03 18:59 UTCVendor advisory
Publicly available exploits
(7 references)Working exploit code is in the public domain (1 Metasploit module) (5 GitHub PoCs). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- GitHub PoCifconfig-me/Log4Shell-PayloadsFirst seen Jul 23, 2025
Log4Shell / Log4J Payload - CVE-2021-45046 and CVE-2022-42889
Open source ↗ - GitHub PoClijiejie/log4j2_vul_local_scannerFirst seen Dec 20, 2021
Log4j 漏洞本地检测脚本。 Scan all java processes on your host to check whether it's affected by log4j2 remote code execution vulnerability (CVE-2021-45046)
Open source ↗ - GitHub PoCmergebase/log4j-samplesFirst seen Dec 16, 2021
Public testing data. Samples of log4j library versions to help log4j scanners / detectors improve their accuracy for detecting CVE-2021-45046 and CVE-2021-44228. TAG_TESTING, OWNER_KEN, DC_PUBLIC
Open source ↗ - GitHub PoCcckuailong/Log4j_CVE-2021-45046First seen Dec 15, 2021
Log4j 2.15.0 Privilege Escalation -- CVE-2021-45046
Open source ↗ - GitHub PoCBobTheShoplifter/CVE-2021-45046-InfoFirst seen Dec 15, 2021
Oh no another one
Open source ↗ - Metasploitauxiliary/scanner/http/log4shell_scanner✓ verifiedFirst seen Dec 9, 2021
Log4Shell HTTP Scanner
Open source ↗ - Nucleihttp/cves/2021/CVE-2021-45046.yamlFirst seen Jan 1, 2021
Apache Log4j2 - Remote Code Injection
Open source ↗
Past incidents using this CVE
(1)This CVE was central to one or more publicly-documented breaches. Each card links to authoritative reporting at the time of the incident.
- Log4Shell (Apache Log4j)Dec 2021
JNDI lookup injection in Log4j, a ubiquitous Java logging library. Pre-auth unauthenticated RCE; Apache Foundation called it the worst vulnerability in a decade. Active exploitation continues 3+ years later.
Source: Wired
Frequently asked(6)
What is CVE-2021-45046?
When was CVE-2021-45046 disclosed?
Is CVE-2021-45046 actively exploited?
What is the CVSS score of CVE-2021-45046?
Which products are affected by CVE-2021-45046?
How do I remediate CVE-2021-45046?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-45046
Is Your Infrastructure Affected by CVE-2021-45046?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.