2445135 – (CVE-2026-29062) CVE-2026-29062 jackson-core: jackson-core: Denial of Service via excessive JSON nesting

Bug 2445135 (CVE-2026-29062) - CVE-2026-29062 jackson-core: jackson-core: Denial of Service via excessive JSON nesting

Summary: CVE-2026-29062 jackson-core: jackson-core: Denial of Service via excessive JS...

Keywords:
Status:	NEW
Alias:	CVE-2026-29062
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-06 08:01 UTC by OSIDB Bzimport
Modified:	2026-05-10 08:28 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-06 08:01:39 UTC

jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNestingDepth constraint (default: 500) defined in StreamReadConstraints. A similar issue was found in ReaderBasedJsonParser. This allows a user to supply a JSON document with excessive nesting, which can cause a StackOverflowError when the structure is processed, leading to a Denial of Service (DoS). This issue has been patched in version 3.1.0.

Note You need to log in before you can comment on or make changes to this bug.