CVE-2026-29975

Name of the Vulnerable Software and Affected Versions lwjson version 1.8.1

Description Improper input validation in the streaming JSON parser (lwjson stream.c) occurs because the end-of-string detection logic incorrectly identifies escaped quote characters. The system only checks the immediately preceding character instead of counting consecutive backslashes, which prevents valid JSON strings ending with an escaped backslash from terminating parsing. A remote attacker can send well-formed JSON to cause applications using the lwjson stream parse() function to hang indefinitely, leading to a denial of service.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.