Skip to main content

CAI Content Credentials CVE-2026-47902

| EUVDEUVD-2026-35846 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 adobe GHSA-89fj-wmjh-6xfj
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:25 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and trigger an application-level denial-of-service condition. The CVSS vector confirms local attack vector with no privileges required and no user interaction, meaning any local process or user context capable of invoking the SDK can trigger the condition. No public exploit code or CISA KEV listing has been identified at time of analysis, and the availability impact is rated High with no confidentiality or integrity exposure.

Technical ContextAI

The affected library implements the C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying content credentials - cryptographic provenance metadata in media files. Adobe's CAI Content Credentials SDK (cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:*) ships in two package variants: a Rust-based core library (c2pa-rs, versioned c2pa-v0.80.1 and earlier) and a WebAssembly/JavaScript wrapper (c2pa-web@0.7.1 and earlier). CWE-400 (Uncontrolled Resource Consumption) indicates the SDK fails to enforce limits on memory, CPU, or I/O when parsing or validating content credential payloads - a class of flaw commonly triggered by deeply nested structures, large buffers, or recursive parsing loops embedded in crafted media manifests. Because the SDK is a processing library rather than a network service, exploitation is scoped to the local process invoking it.

RemediationAI

Patch available per Adobe advisory APSB26-61 - consult https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the exact fixed package versions for both c2pa-web and c2pa crate releases, as the patched version numbers were not specified in the available input data. For environments where immediate upgrade is not possible, a practical compensating control is to validate and limit the size of C2PA manifest payloads before passing them to the SDK (e.g., reject inputs exceeding a defined byte threshold), which reduces - but does not eliminate - the resource exhaustion attack surface. Additionally, running the SDK in an isolated process with OS-level resource limits (ulimit on Linux, job objects on Windows) can contain the blast radius to a single worker rather than the host system. Note that resource-limit sandboxing does not prevent the crash but prevents it from affecting adjacent services.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

CVE-2026-47902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy