How serious is CVE-2026-29062?

This vulnerability has a CVSS score of 8.7 out of 10, classified as HIGH severity. No public exploit code has been identified yet.

Which products are affected by CVE-2026-29062?

CVE-2026-29062 affects fasterxml jackson-core. Check the full CVE details for specific version information.

How do I fix CVE-2026-29062?

To remediate CVE-2026-29062, check for security patches from fasterxml. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-29062

High

|8.7

No Exploit

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows an attacker to crash an application by sending a JSON document that is too deeply nested, which can overwhelm the system and cause it to stop working. It affects versions of the jackson-core library from 3.0.0 up to, but not including, 3.1.0, so updating to the latest version is essential to prevent this issue.

Technical Description

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,579($1K-$5K)

Vendor Response

Grade APatched in 4 days

Quick Information

Published

Mar 6, 2026

about 1 month ago

Last Modified

Mar 10, 2026

28 days ago

Vendor

fasterxml

Product

jackson-core