CVE-2026-29975: lwjson Streaming Parser DOS Vulnerability

CVE-2026-29975 Overview

CVE-2026-29975 is an improper input validation vulnerability in lwjson 1.8.1, a lightweight JSON parser commonly used in embedded systems. The flaw resides in the streaming JSON parser implemented in lwjson_stream.c. The end-of-string detection logic checks only the single character preceding a quote to decide whether the quote is escaped. It does not count consecutive backslashes, so a valid JSON string ending with an escaped backslash ("\\") is never recognized as terminated. A remote attacker who can deliver JSON to an application using lwjson_stream_parse() can trigger an infinite loop, producing a denial of service.

Critical Impact

Remote, unauthenticated attackers can send well-formed JSON that causes lwjson_stream_parse() to hang indefinitely, exhausting CPU and stalling the host application.

Affected Products

• lwjson 1.8.1 (streaming parser lwjson_stream.c)
• Applications and firmware embedding lwjson_stream_parse() for untrusted JSON input
• Downstream embedded or IoT products bundling vulnerable versions of lwjson

Discovery Timeline

• 2026-05-08 - CVE-2026-29975 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-29975

Vulnerability Analysis

The defect is an infinite loop condition classified under [CWE-835] (Loop with Unreachable Exit Condition). The streaming parser in lwjson_stream.c reads JSON character by character and must determine when a quoted string ends. Its termination logic inspects the byte directly before a closing quote to decide whether that quote is escaped by a backslash.

This single-character lookback ignores the parity of preceding backslashes. In JSON, \\ represents a literal backslash, so a string such as "\\" is a valid two-character payload containing one escaped backslash followed by a terminating quote. The parser sees a backslash immediately before the final quote and treats the quote as escaped. It then continues consuming bytes searching for a string terminator that never arrives.

The result is unbounded consumption of input or repeated state transitions inside the parser, blocking the calling thread. Because parsing typically runs inline with the network or message-handling loop in embedded applications, the entire service stalls.

Root Cause

The root cause is incorrect escape detection logic at the streaming string-termination check referenced at lwjson_stream.c lines 362-364. The implementation must count consecutive trailing backslashes and treat the quote as escaped only when the count is odd. Checking a single preceding byte fails when an even number of backslashes precedes the quote.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a JSON document containing a string value ending in an escaped backslash, such as {"k":"\\"}, to any endpoint that feeds data into lwjson_stream_parse(). Parsing never returns, producing CPU exhaustion and denial of service on the target.

No verified public exploit code is available. See the reference gist and the lwjson repository for technical details on the parsing logic.

Detection Methods for CVE-2026-29975

Indicators of Compromise

• Sustained 100% CPU utilization on threads or tasks invoking lwjson_stream_parse() shortly after receiving JSON input.
• Application or firmware watchdog resets correlated with inbound JSON messages from external sources.
• Stalled request handlers, message queues, or MQTT/HTTP workers that previously processed JSON without delay.

Detection Strategies

• Perform a software bill of materials (SBOM) review to identify products and firmware that statically link lwjson 1.8.1 or earlier vulnerable revisions.
• Add fuzz tests covering escaped-backslash sequences ("\\", "\\\\\\\\") and assert that lwjson_stream_parse() returns within a bounded time.
• Instrument JSON parsing entry points with execution-time telemetry and alert when parse duration exceeds an expected upper bound.

Monitoring Recommendations

• Monitor inbound message sizes and per-connection parse latency on services that expose JSON APIs to untrusted networks.
• Log and rate-limit requests originating from clients that repeatedly send malformed or pathological JSON payloads.
• Track watchdog reboots and thread-hang events on embedded devices and correlate them with network ingress logs.

How to Mitigate CVE-2026-29975

Immediate Actions Required

• Inventory all systems and firmware images that include lwjson and identify those calling lwjson_stream_parse() on attacker-influenced data.
• Place vulnerable endpoints behind a JSON-aware proxy or gateway that enforces strict string and message-size limits.
• Apply parse timeouts at the caller so a stalled lwjson_stream_parse() invocation is forcibly aborted.

Patch Information

No fixed version is referenced in the NVD record at the time of publication. Track the upstream lwjson repository for a corrected escape-handling commit and rebuild dependent firmware once a patched release is available. The fix must count consecutive backslashes preceding a quote and treat the quote as escaped only when that count is odd.

Workarounds

• Reject or sanitize JSON payloads at an upstream gateway before they reach lwjson_stream_parse(), especially strings ending in backslash sequences.
• Run JSON parsing on a worker thread with a hard execution-time limit, terminating the task if the limit is exceeded.
• Restrict maximum accepted JSON message length to a value far below available memory and processing budgets.

# Configuration example: enforce a parse timeout and size cap in the caller
# (pseudocode wrapper around lwjson_stream_parse)
MAX_JSON_BYTES=4096
PARSE_TIMEOUT_MS=250
# Drop oversized payloads at the network layer before invoking the parser
# and run the parser under a watchdog that aborts hung invocations.