Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a local attacker to crash the consuming application by supplying malformed input, resulting in a denial-of-service condition. No user interaction is required once the attacker can deliver crafted input to the locally running process. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the crash-based impact and low attack complexity make it straightforward to trigger.
Technical ContextAI
The affected library implements the C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying digital content credentials - cryptographic provenance metadata attached to media files. The two affected packages are the JavaScript/WebAssembly web SDK (c2pa-web) and the core Rust-based SDK (c2pa), both published by Adobe under the Content Authenticity Initiative (CAI). CWE-20 (Improper Input Validation) indicates the root cause is insufficient sanitization or bounds checking of attacker-controlled input before it is processed by the parsing or verification routines within the library. The CPE string cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covers all versions up through the affected releases. Because this SDK is embedded within applications rather than exposed as a standalone service, the attack surface is local to wherever content credential parsing occurs.
RemediationAI
The primary remediation is to upgrade both affected packages beyond the identified vulnerable versions: c2pa-web above 0.7.1 and c2pa above 0.80.1. Exact fixed version numbers are not explicitly confirmed in the provided data - consult the Adobe advisory APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the precise patched release identifiers before deploying updates. As a compensating control where immediate upgrade is not possible, restrict the application's input sources to trusted, internally generated content only, preventing untrusted external media from reaching the c2pa parsing routines; this eliminates the attacker's delivery mechanism but may impact legitimate workflows that process third-party content. Additionally, consider wrapping the application process in a supervisor with automatic restart to reduce the operational impact of a crash-induced denial of service. Neither workaround addresses the underlying validation defect and should be treated as temporary measures pending patch deployment.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35847
GHSA-qx3w-6mjj-cvrc