CVE-2026-29062 in jackson-core
Summary
by MITRE • 03/06/2026
jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/23/2026
The vulnerability identified as CVE-2026-29062 affects the jackson-core library, which serves as the foundational component for Jackson Data Processor's streaming parser and generator abstractions. This critical flaw resides within the UTF8DataInputJsonParser and ReaderBasedJsonParser implementations that handle JSON parsing from java.io.DataInput sources. The vulnerability represents a direct violation of input validation principles and demonstrates a dangerous bypass mechanism that undermines the security controls designed to prevent excessive resource consumption during JSON processing operations. The issue specifically impacts versions 3.0.0 through 3.0.9 of the library, creating a window of exposure where maliciously crafted JSON documents can exploit the parser's failure to respect established nesting depth limits.
The technical implementation flaw stems from the parser's inability to properly enforce the maxNestingDepth constraint that is typically applied to prevent deep recursion scenarios. When processing JSON data from DataInput sources, the UTF8DataInputJsonParser and ReaderBasedJsonParser bypass the StreamReadConstraints configuration that normally limits nesting depth to 500 levels by default. This bypass creates a path where an attacker can craft a JSON document with excessive nesting levels that will eventually cause a StackOverflowError during processing. The vulnerability manifests as a denial of service condition where the JVM process terminates due to stack exhaustion, effectively rendering the application unavailable to legitimate users. This behavior directly aligns with attack patterns described in the ATT&CK framework under the privilege escalation and denial of service categories.
The operational impact of this vulnerability extends beyond simple service disruption to potentially compromise entire application availability and stability. When exploited, the vulnerability can cause applications relying on jackson-core to crash repeatedly, leading to cascading failures in systems that depend on JSON processing capabilities. The StackOverflowError generated by excessive nesting creates a deterministic denial of service scenario where any input that exceeds the parser's limits will cause immediate application termination. This vulnerability particularly affects web applications, microservices, and any system that processes untrusted JSON input from external sources, making it a significant concern for organizations operating in production environments. The issue demonstrates a fundamental flaw in input sanitization and resource management within the parser implementation, as it fails to maintain proper stack depth accounting during recursive parsing operations.
Mitigation strategies for CVE-2026-29062 require immediate patching to version 3.1.0 or later where the vulnerability has been addressed. Organizations should conduct comprehensive vulnerability assessments to identify all systems and applications that utilize affected jackson-core versions, particularly those handling external JSON input. The patch implementation should include thorough regression testing to ensure that the fix does not introduce performance regressions or alter expected parser behavior for legitimate use cases. Security teams should also implement input validation layers at application boundaries to further constrain JSON document complexity and nesting levels, providing defense-in-depth protection. Additionally, monitoring and alerting systems should be configured to detect unusual parsing patterns that might indicate attempted exploitation of this vulnerability, as the StackOverflowError condition can serve as an indicator of malicious input attempts. The fix addresses the core issue by properly enforcing the StreamReadConstraints configuration across all parser implementations, ensuring that the maxNestingDepth parameter is consistently applied regardless of input source type. This remediation aligns with CWE-770, which addresses improper restriction of operations within a limited error handling scope, and represents a critical security improvement that restores the intended resource management controls within the Jackson Data Processor framework.