Cyber Resilience

CVE-2026-29062

HighDDoSUpdated

Published: 06 March 2026

Published
06 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29062 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Fasterxml Jackson-Core. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 38.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-29062 is a denial-of-service vulnerability in the jackson-core library, which provides core low-level incremental streaming parser and generator abstractions for the Jackson Data Processor. It affects versions 3.0.0 through 3.0.5 (prior to 3.1.0). The issue stems from the UTF8DataInputJsonParser, used when parsing from a java.io.DataInput source, and a similar flaw in ReaderBasedJsonParser; both bypass the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. This enables processing of JSON documents with excessive nesting, triggering a StackOverflowError. The vulnerability is rated 7.5 on CVSS v3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWE-770.

Any unauthenticated attacker with network access can exploit this by supplying a specially crafted JSON payload with deeply nested structures to an application using the affected parsers on untrusted input. Successful exploitation causes recursive parsing that exhausts the call stack, resulting in a StackOverflowError and denial of service, such as application crashes or service unavailability.

The vulnerability has been patched in jackson-core version 3.1.0. Mitigation involves upgrading to 3.1.0 or later. Official details are available in the GitHub security advisory (GHSA-6v53-7c9g-w56r), the patching pull request (/pull/1554), and the fix commit (8b25fd67f20583e75fb09564ce1eaab06cd5a902).

EU & UK References

Vulnerability details

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined…

more

in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes remote unauthenticated exploitation of a JSON parser flaw (bypassing nesting limits) to trigger StackOverflowError and application crash, directly enabling T1499.004 (Application or System Exploitation) for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2021-47784Shared CWE-770
CVE-2021-47793Shared CWE-770
CVE-2021-47895Shared CWE-770
CVE-2026-23490Shared CWE-770
CVE-2026-31866Shared CWE-770
CVE-2026-33260Shared CWE-770
CVE-2026-33012Shared CWE-770
CVE-2026-5438Shared CWE-770
CVE-2024-57662Shared CWE-770

Affected Assets

fasterxml
jackson-core
3.0.0 — 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring timely remediation of the vulnerable jackson-core library through patching to version 3.1.0 or later.

prevent

Requires validation of untrusted JSON inputs to reject or sanitize payloads with excessive nesting depth before they reach the affected parsers.

preventdetect

Provides protections against denial-of-service attacks, including resource exhaustion from deeply nested JSON causing StackOverflowError.

References