From 3d38074d5a3ca50b39f972ec028e52bd63b6ee7a Mon Sep 17 00:00:00 2001
From: "John Y. Pazekha" <neboskreb@narod.ru>
Date: Wed, 30 Apr 2025 14:15:33 +0200
Subject: [PATCH 1/2] Verifying the capability of PrivateSecurityManager so
 platforms not (fully) supporting SecurityManager do not poison the stack
 trace.

---
 .../PrivateSecurityManagerStackTraceUtil.java | 31 ++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java
index ec2b5cf1e4d..7f9581345b9 100644
--- a/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java
+++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java
@@ -29,6 +29,35 @@ final class PrivateSecurityManagerStackTraceUtil {
     private static final PrivateSecurityManager SECURITY_MANAGER;
 
     static {
+        PrivateSecurityManager candidate = createPrivateSecurityManager();
+        if (isCapable(candidate)) {
+            SECURITY_MANAGER = candidate;
+        } else {
+            SECURITY_MANAGER = null;
+        }
+    }
+
+    private static boolean isCapable(PrivateSecurityManager candidate) {
+        if (candidate == null) {
+            return false;
+        }
+
+        try {
+            final Class<?>[] result = candidate.getClassContext();
+            if (result == null || result.length == 0) {
+                // This happens e.g. on Android which has real implementation of SecurityManager replaced with merely
+                // stubs. So the PrivateSecurityManager, though can be instantiated, will not produce meaningful
+                // results
+                return false;
+            }
+            // Add more checks here as needed
+            return true;
+        } catch (Exception ignored) {
+            return false;
+        }
+    }
+
+    private static PrivateSecurityManager createPrivateSecurityManager() {
         PrivateSecurityManager psm;
         try {
             final SecurityManager sm = System.getSecurityManager();
@@ -40,7 +69,7 @@ final class PrivateSecurityManagerStackTraceUtil {
             psm = null;
         }
 
-        SECURITY_MANAGER = psm;
+        return psm;
     }
 
     private PrivateSecurityManagerStackTraceUtil() {

From 87a81daf59b43fe606a48915cd4277e403caf39d Mon Sep 17 00:00:00 2001
From: "John Y. Pazekha" <neboskreb@narod.ru>
Date: Wed, 30 Apr 2025 21:45:45 +0200
Subject: [PATCH 2/2] Changelog

---
 ...isable_optimization_for_filling_the_stack_trace.xml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml

diff --git a/src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml b/src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml
new file mode 100644
index 00000000000..aaeb769661e
--- /dev/null
+++ b/src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="https://logging.apache.org/xml/ns"
+       xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="fixed">
+  <issue id="3639" link="https://github.com/apache/logging-log4j2/issues/3639"/>
+  <description format="asciidoc">
+    Verify the capability of SecurityManager so that platforms not (fully) supporting it will not poison the stack trace
+  </description>
+</entry>