CVE-2026-29062
Published: 06 March 2026
Summary
CVE-2026-29062 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fasterxml Jackson-Core. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-29062 is a denial-of-service vulnerability in the jackson-core library, which provides core low-level incremental streaming parser and generator abstractions for the Jackson Data Processor. It affects versions 3.0.0 through 3.0.5 (prior to 3.1.0). The issue stems from the UTF8DataInputJsonParser, used when parsing from a java.io.DataInput source, and a similar flaw in ReaderBasedJsonParser; both bypass the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. This enables processing of JSON documents with excessive nesting, triggering a StackOverflowError. The vulnerability is rated 7.5 on CVSS v3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770.
Any unauthenticated attacker with network access can exploit this by supplying a specially crafted JSON payload with deeply nested structures to an application using the affected parsers on untrusted input. Successful exploitation causes recursive parsing that exhausts the call stack, resulting in a StackOverflowError and denial of service, such as application crashes or service unavailability.
The vulnerability has been patched in jackson-core version 3.1.0. Mitigation involves upgrading to 3.1.0 or later. Official details are available in the GitHub security advisory (GHSA-6v53-7c9g-w56r), the patching pull request (/pull/1554), and the fix commit (8b25fd67f20583e75fb09564ce1eaab06cd5a902).
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10018
Vulnerability details
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined…
more
in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes remote unauthenticated exploitation of a JSON parser flaw (bypassing nesting limits) to trigger StackOverflowError and application crash, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring timely remediation of the vulnerable jackson-core library through patching to version 3.1.0 or later.
Requires validation of untrusted JSON inputs to reject or sanitize payloads with excessive nesting depth before they reach the affected parsers.
Provides protections against denial-of-service attacks, including resource exhaustion from deeply nested JSON causing StackOverflowError.