CVE-2026-29062

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29062.json"
}

References

Affected packages

Git / github.com/fasterxml/jackson-core

Affected ranges

Type: GIT
Repo: https://github.com/fasterxml/jackson-core
Events: Introduced

360d616bbb88253ea094ccd7f18ca0edd97417a9

Fixed

f59c10646e6fd09f37d149bb97a9a956bc684e1e

Affected versions

jackson-core-2.*

jackson-core-2.18.5

jackson-core-2.18.6

jackson-core-2.19.3

jackson-core-2.19.4

jackson-core-2.20.1

jackson-core-2.20.2

jackson-core-2.21.0

jackson-core-2.21.1

jackson-core-3.*

jackson-core-3.0.0

jackson-core-3.0.1

jackson-core-3.0.2

jackson-core-3.0.3

jackson-core-3.0.4

jackson-core-3.1.0-rc1

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29062.json"