CVE-2026-29062 is a vulnerability in the jackson-core library, specifically affecting versions from 3.0.0 up to but not including 3.1.0. Jackson-core is a widely used Java library for processing JSON data, providing core low-level streaming parser and generator abstractions. The vulnerability arises because the UTF8DataInputJsonParser, which parses JSON from a java.io.DataInput source, bypasses the maxNestingDepth constraint defined in StreamReadConstraints. This constraint, set by default to 500, is intended to prevent excessively nested JSON structures that could cause resource exhaustion. A similar bypass exists in ReaderBasedJsonParser. By supplying a JSON document with excessive nesting, an attacker can cause the parser to exceed the stack depth, resulting in a StackOverflowError. This error leads to a denial of service (DoS) condition as the application processing the JSON input crashes or becomes unresponsive. The flaw is categorized under CWE-770, which relates to allocation of resources without proper limits or throttling. The vulnerability requires no authentication or user interaction and can be exploited remotely by sending crafted JSON data. The issue was addressed and patched in jackson-core version 3.1.0. No public exploits have been reported yet, but the high CVSS 8.7 score reflects the significant risk posed by this vulnerability.

The primary impact of CVE-2026-29062 is denial of service (DoS) through application crashes caused by StackOverflowError when processing maliciously crafted JSON input with excessive nesting. Organizations using jackson-core versions 3.0.0 to before 3.1.0 in their Java applications are at risk. This can affect web services, APIs, and backend systems that parse JSON data from untrusted or external sources. The DoS can disrupt service availability, degrade user experience, and potentially cause cascading failures in dependent systems. Since jackson-core is widely adopted in enterprise Java applications globally, the scope of affected systems is broad. Attackers do not require authentication or user interaction, making exploitation easier. Although no known exploits are currently in the wild, the vulnerability’s presence in a fundamental JSON parsing library makes it a critical risk for many organizations, especially those exposing JSON interfaces to the internet or processing third-party data.

To mitigate CVE-2026-29062, organizations should upgrade jackson-core to version 3.1.0 or later, where the maxNestingDepth constraint bypass is fixed. For environments where immediate upgrade is not feasible, implement input validation to reject JSON documents with excessive nesting before parsing. Employ Web Application Firewalls (WAFs) or API gateways to detect and block suspiciously nested JSON payloads. Monitor application logs for StackOverflowError or abnormal crashes related to JSON parsing. Consider sandboxing or isolating JSON processing components to limit impact of potential DoS. Regularly audit dependencies and apply security patches promptly. Educate developers on secure JSON handling practices, including setting explicit limits on JSON complexity and nesting depth. Finally, incorporate fuzz testing and stress testing of JSON parsers to identify similar resource exhaustion issues proactively.