CVE-2026-29062

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-29062
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29062.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-29062
Aliases
Downstream
Related
Published
2026-03-06T07:14:25.059Z
Modified
2026-03-14T12:48:26.996955Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
jackson-core: Nesting Depth Constraint Bypass in `UTF8DataInputJsonParser` potentially allowing Resource Exhaustion
Details

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

Database specific 
{
    "cwe_ids": [
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29062.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/FasterXML/jackson-core

Affected ranges

Type
GIT
Repo
https://github.com/FasterXML/jackson-core
Events
Introduced
360d616bbb88253ea094ccd7f18ca0edd97417a9
Fixed
f59c10646e6fd09f37d149bb97a9a956bc684e1e
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.0"
        }
    ]
}
Type
GIT
Repo
https://github.com/fasterxml/jackson-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8b25fd67f20583e75fb09564ce1eaab06cd5a902

Affected versions

jackson-core-2.*
jackson-core-2.0.0
jackson-core-2.0.1
jackson-core-2.0.2
jackson-core-2.10.0
jackson-core-2.10.0.pr1
jackson-core-2.10.0.pr2
jackson-core-2.10.0.pr3
jackson-core-2.10.1
jackson-core-2.10.2
jackson-core-2.10.3
jackson-core-2.10.4
jackson-core-2.10.5
jackson-core-2.11.0
jackson-core-2.11.0.rc1
jackson-core-2.11.1
jackson-core-2.11.2
jackson-core-2.11.3
jackson-core-2.11.4
jackson-core-2.12.0
jackson-core-2.12.0-rc1
jackson-core-2.12.0-rc2
jackson-core-2.12.1
jackson-core-2.12.2
jackson-core-2.12.3
jackson-core-2.12.4
jackson-core-2.12.5
jackson-core-2.12.6
jackson-core-2.12.7
jackson-core-2.13.0
jackson-core-2.13.0-rc1
jackson-core-2.13.0-rc2
jackson-core-2.13.1
jackson-core-2.13.2
jackson-core-2.13.3
jackson-core-2.13.4
jackson-core-2.13.5
jackson-core-2.14.0
jackson-core-2.14.0-rc1
jackson-core-2.14.0-rc2
jackson-core-2.14.0-rc3
jackson-core-2.14.1
jackson-core-2.14.2
jackson-core-2.14.3
jackson-core-2.15.0
jackson-core-2.15.0-rc1
jackson-core-2.15.0-rc2
jackson-core-2.15.0-rc3
jackson-core-2.15.1
jackson-core-2.15.2
jackson-core-2.15.3
jackson-core-2.15.4
jackson-core-2.16.0
jackson-core-2.16.0-rc1
jackson-core-2.16.1
jackson-core-2.16.2
jackson-core-2.17.0
jackson-core-2.17.0-rc1
jackson-core-2.17.1
jackson-core-2.17.2
jackson-core-2.17.3
jackson-core-2.18.0
jackson-core-2.18.0-rc1
jackson-core-2.18.1
jackson-core-2.18.2
jackson-core-2.18.3
jackson-core-2.18.4
jackson-core-2.18.4.1
jackson-core-2.18.5
jackson-core-2.18.6
jackson-core-2.19.0
jackson-core-2.19.0-rc1
jackson-core-2.19.0-rc2
jackson-core-2.19.1
jackson-core-2.19.2
jackson-core-2.19.3
jackson-core-2.19.4
jackson-core-2.2.0-rc1
jackson-core-2.2.0b
jackson-core-2.2.1
jackson-core-2.2.2
jackson-core-2.20.0
jackson-core-2.20.0-rc1
jackson-core-2.20.1
jackson-core-2.20.2
jackson-core-2.21.0
jackson-core-2.21.1
jackson-core-2.3.0
jackson-core-2.3.0-rc1
jackson-core-2.4.0
jackson-core-2.4.0-rc1
jackson-core-2.4.0-rc2
jackson-core-2.4.0-rc3
jackson-core-2.4.1
jackson-core-2.4.1.1
jackson-core-2.4.2
jackson-core-2.4.3
jackson-core-2.4.4
jackson-core-2.4.5
jackson-core-2.5.0
jackson-core-2.5.0-rc1
jackson-core-2.5.1
jackson-core-2.5.2
jackson-core-2.5.3
jackson-core-2.5.4
jackson-core-2.5.5
jackson-core-2.6.0
jackson-core-2.6.0-rc1
jackson-core-2.6.0-rc2
jackson-core-2.6.0-rc3
jackson-core-2.6.0-rc4
jackson-core-2.6.1
jackson-core-2.6.2
jackson-core-2.6.3
jackson-core-2.6.4
jackson-core-2.6.5
jackson-core-2.6.6
jackson-core-2.7.0
jackson-core-2.7.0-rc1
jackson-core-2.7.0-rc2
jackson-core-2.7.0-rc3
jackson-core-2.7.1
jackson-core-2.7.2
jackson-core-2.7.3
jackson-core-2.7.3b
jackson-core-2.7.4
jackson-core-2.7.5
jackson-core-2.7.6
jackson-core-2.7.7
jackson-core-2.7.8
jackson-core-2.7.9
jackson-core-2.8.0
jackson-core-2.8.1
jackson-core-2.8.10
jackson-core-2.8.11
jackson-core-2.8.2
jackson-core-2.8.3
jackson-core-2.8.4
jackson-core-2.8.5
jackson-core-2.8.6
jackson-core-2.8.7
jackson-core-2.8.8
jackson-core-2.8.9
jackson-core-2.9.0
jackson-core-2.9.0.pr1
jackson-core-2.9.0.pr2
jackson-core-2.9.0.pr3
jackson-core-2.9.0.pr4
jackson-core-2.9.1
jackson-core-2.9.10
jackson-core-2.9.2
jackson-core-2.9.3
jackson-core-2.9.4
jackson-core-2.9.5
jackson-core-2.9.6
jackson-core-2.9.7
jackson-core-2.9.8
jackson-core-2.9.9
jackson-core-3.*
jackson-core-3.0.0
jackson-core-3.0.0-rc1
jackson-core-3.0.0-rc10
jackson-core-3.0.0-rc2
jackson-core-3.0.0-rc3
jackson-core-3.0.0-rc4
jackson-core-3.0.0-rc5
jackson-core-3.0.0-rc6
jackson-core-3.0.0-rc7
jackson-core-3.0.0-rc8
jackson-core-3.0.0-rc9
jackson-core-3.0.1
jackson-core-3.0.2
jackson-core-3.0.3
jackson-core-3.0.4
jackson-core-3.1.0-rc1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29062.json"
vanir_signatures 
[
    {
        "id": "CVE-2026-29062-20c63f86",
        "digest": {
            "function_hash": "326247284020626194434323018155566475384",
            "length": 608.0
        },
        "signature_type": "Function",
        "source": "https://github.com/fasterxml/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/tools/jackson/core/json/ReaderBasedJsonParser.java",
            "function": "nextLongValue"
        }
    },
    {
        "id": "CVE-2026-29062-35845038",
        "digest": {
            "line_hashes": [
                "106598388642092149696502331383068503923",
                "204620921462451523413774005085969423639",
                "180716100322387293269590543731856659374",
                "283906855990894385819716516467722376364",
                "187188503822829248896081005461419530957",
                "15158339026804114596224432777733400949"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/fasterxml/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/tools/jackson/core/json/ReaderBasedJsonParser.java"
        }
    },
    {
        "id": "CVE-2026-29062-73dfa86d",
        "digest": {
            "line_hashes": [
                "47064118745308996343494504160410257956",
                "339400567955816820824523477418297348649",
                "26697672791631637217850411446812417495",
                "74382845753095711789314797927742753645",
                "325278982214326274968870050095414048995",
                "186219158683373422827514039400150262329",
                "13902693782175789176071437772012481154"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/fasterxml/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/tools/jackson/core/json/UTF8DataInputJsonParser.java"
        }
    },
    {
        "id": "CVE-2026-29062-95ba11b1",
        "digest": {
            "function_hash": "242685837317073554904933969900038536886",
            "length": 1157.0
        },
        "signature_type": "Function",
        "source": "https://github.com/fasterxml/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/main/java/tools/jackson/core/json/UTF8DataInputJsonParser.java",
            "function": "_nextTokenNotInObject"
        }
    },
    {
        "id": "CVE-2026-29062-9a991032",
        "digest": {
            "line_hashes": [
                "215599766717561388635343676630774604316",
                "329705086767451314484476724171093175668",
                "158343529494388294969067357075074491863",
                "333311793813694995632880320735379871385",
                "40054179169258071714266792710942745686",
                "120278701020340703058806280078714898650",
                "70905355252088676332915369421251760476",
                "76721354423948096528212925821152316228",
                "232700084553059138830374193930248784536",
                "47128824903726531482751174677100032276",
                "28890002059479067830092511737270072147",
                "74917910273239124165012140325667351114",
                "47597228591732313235632398196541325670"
            ],
            "threshold": 0.9
        },
        "signature_type": "Line",
        "source": "https://github.com/fasterxml/jackson-core/commit/8b25fd67f20583e75fb09564ce1eaab06cd5a902",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "src/test/java/tools/jackson/core/unittest/constraints/DeeplyNestedContentViaDataInputTest.java"
        }
    }
]