PatchSiren cyber security CVE debrief
CVE-2026-29062 FasterXML CVE debrief
CVE-2026-29062 is a high-severity vulnerability in Jackson-Core, a popular Java library for processing JSON data. The vulnerability allows for a Denial of Service (DoS) attack due to a bypass of the maxNestingDepth constraint in the UTF8DataInputJsonParser and ReaderBasedJsonParser. This can be exploited by supplying a JSON document with excessive nesting, leading to a StackOverflowError. The issue has been patched in version 3.1.0. Users of Jackson-Core versions 3.0.0 to 3.1.0 are advised to upgrade to 3.1.0 or apply compensating controls. The CVSS score for this vulnerability is 8.7, indicating a high severity. The vulnerability was publicly disclosed on March 6, 2026, and has since been modified on June 30, 2026.
- Vendor
- FasterXML
- Product
- jackson-core
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-06
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-03-06
- Advisory updated
- 2026-06-30
Who should care
Developers and administrators using Jackson-Core versions 3.0.0 to 3.1.0 should be aware of this vulnerability and take necessary actions to mitigate it. This includes upgrading to version 3.1.0 or applying compensating controls. Additionally, users of Red Hat products that incorporate Jackson-Core may need to apply patches or updates provided by Red Hat.
Technical summary
The vulnerability in Jackson-Core arises from the bypass of the maxNestingDepth constraint in the UTF8DataInputJsonParser and ReaderBasedJsonParser. This allows an attacker to supply a JSON document with excessive nesting, leading to a StackOverflowError when processed. The maxNestingDepth constraint is set to 500 by default. The issue has been patched in version 3.1.0 by properly enforcing this constraint. The vulnerability has a CVSS score of 8.7, indicating a high severity.
Defensive priority
High priority should be given to upgrading to Jackson-Core version 3.1.0 or applying compensating controls to mitigate this vulnerability. Developers and administrators should review their systems and applications that use Jackson-Core and take necessary actions.
Recommended defensive actions
- Upgrade to Jackson-Core version 3.1.0 or later
- Apply compensating controls to limit the depth of JSON documents processed
- Review and update systems and applications that use Jackson-Core
- Monitor for and respond to potential DoS attacks
- Consider implementing additional security measures to protect against similar vulnerabilities
Evidence notes
The vulnerability was publicly disclosed on March 6, 2026, and has since been modified on June 30, 2026. The CVSS score for this vulnerability is 8.7, indicating a high severity. The issue has been patched in version 3.1.0. Users of Jackson-Core versions 3.0.0 to 3.1.0 are advised to upgrade to 3.1.0 or apply compensating controls.
Official resources
-
CVE-2026-29062 CVE record
CVE.org
-
CVE-2026-29062 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.