## Apache Log4j 2.6.1 Contains Critical Incomplete Patch for CVE-2021-45046
A critical vulnerability, CVE-2021-45046, has been detected in the widely used Apache Log4j logging library, specifically in version 2.6.1. This is not a new flaw but a dangerous revelation that the original emergency patch for the infamous Log4Shell vulnerability (CVE-2021-44228) was incomplete. The incomplete fix in Log4j 2.15.0 leaves systems vulnerable under specific, non-default configurations, meaning many organizations that believed they were patched may still be exposed to remote code execution attacks.

The vulnerability resides in the `log4j-core-2.6.1.jar` file. The flaw is triggered when attackers control Thread Context Map (MDC) input data and the application uses a logging configuration with a non-default Pattern Layout that includes a Context Lookup (e.g., $${ctx:loginId}) or a Thread Context Map pattern like %X, %mdc, or %MDC. This combination allows for the crafting of malicious input data that can bypass the initial patch, leading to the same catastrophic remote code execution consequences as the original Log4Shell exploit.

This discovery signals intense ongoing pressure on the global software supply chain. Any system or service still using Log4j versions 2.15.0 or earlier, including the detected 2.6.1, must be treated as critically vulnerable. The finding underscores that the initial patch was a stopgap, not a complete solution, forcing a renewed and urgent scramble for organizations to upgrade to Log4j 2.16.0 or later. The persistence of this jar in dependency hierarchies, as shown in the sample `pom.xml` file, highlights how deeply embedded and difficult to eradicate this vulnerable component remains across countless Java applications worldwide.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: CVE-2021-45046, Log4Shell, Apache, Software Supply Chain, Remote Code Execution
- **Credibility**: unverified
- **Published**: 2026-04-08 10:27:08
- **ID**: 54763
- **URL**: https://whisperx.ai/en/intel/54763