PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-29062 FasterXML CVE debrief

CVE-2026-29062 is a high-severity vulnerability in Jackson-Core, a popular Java library for processing JSON data. The vulnerability allows for a Denial of Service (DoS) attack due to a bypass of the maxNestingDepth constraint in the UTF8DataInputJsonParser and ReaderBasedJsonParser. This can be exploited by supplying a JSON document with excessive nesting, leading to a StackOverflowError. The issue has been patched in version 3.1.0. Users of Jackson-Core versions 3.0.0 to 3.1.0 are advised to upgrade to 3.1.0 or apply compensating controls. The CVSS score for this vulnerability is 8.7, indicating a high severity. The vulnerability was publicly disclosed on March 6, 2026, and has since been modified on June 30, 2026.

Vendor
FasterXML
Product
jackson-core
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-03-06
Original CVE updated
2026-06-30
Advisory published
2026-03-06
Advisory updated
2026-06-30

Who should care

Developers and administrators using Jackson-Core versions 3.0.0 to 3.1.0 should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to version 3.1.0 or applying compensating controls. Additionally, users of Red Hat products that incorporate Jackson-Core may need to apply patches or updates provided by Red Hat.

Technical summary

The vulnerability in Jackson-Core arises from the bypass of the maxNestingDepth constraint in the UTF8DataInputJsonParser and ReaderBasedJsonParser. This allows an attacker to supply a JSON document with excessive nesting, leading to a StackOverflowError when processed. The maxNestingDepth constraint is set to 500 by default. The issue has been patched in version 3.1.0 by properly enforcing this constraint. The vulnerability has a CVSS score of 8.7, indicating a high severity.

Defensive priority

High priority should be given to upgrading to Jackson-Core version 3.1.0 or applying compensating controls to mitigate this vulnerability. Developers and administrators should review their systems and applications that use Jackson-Core and take necessary actions.

Recommended defensive actions

  • Upgrade to Jackson-Core version 3.1.0 or later
  • Apply compensating controls to limit the depth of JSON documents processed
  • Review and update systems and applications that use Jackson-Core
  • Monitor for and respond to potential DoS attacks
  • Consider implementing additional security measures to protect against similar vulnerabilities

Evidence notes

The vulnerability was publicly disclosed on March 6, 2026, and has since been modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high severity. The issue has been patched in version 3.1.0. Users of Jackson-Core versions 3.0.0 to 3.1.0 are advised to upgrade to 3.1.0 or apply compensating controls.

Official resources

This article is AI-assisted and based on the supplied source corpus.