Denial of Service Vulnerability in Jackson Core by FasterXML
CVE-2026-29062

8.7HIGH

Key Information:

Vendor

Fasterxml

Status
Jackson-core
Vendor
CVE Published:
6 March 2026

What is CVE-2026-29062?

The jackson-core library contains a vulnerability in its UTF8DataInputJsonParser and ReaderBasedJsonParser implementations. These components fail to enforce the maxNestingDepth limit defined in StreamReadConstraints. This oversight allows an attacker to craft a JSON payload with deep nesting, leading to a StackOverflowError during processing. Consequently, this could result in a Denial of Service (DoS) condition for affected applications. Users are advised to upgrade to version 3.1.0 or later, where this issue has been resolved.

Affected Version(s)

jackson-core >= 3.0.0, < 3.1.0

References

https://github.com/FasterXML/jackson-core/security/adviso...
x_refsource_CONFIRM
https://github.com/FasterXML/jackson-core/pull/1554
x_refsource_MISC
https://github.com/FasterXML/jackson-core/commit/8b25fd67...
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.