Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to exhaust system resources and crash the application by triggering uncontrolled resource consumption during C2PA content processing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.5 score reflects easy network-based exploitation with no user interaction required. Affected deployments are those embedding Adobe's Content Authenticity SDK for verifying or generating C2PA provenance manifests on web-facing services.
Technical ContextAI
CAI (Content Authenticity Initiative) Content Credentials implement the C2PA (Coalition for Content Provenance and Authenticity) standard for cryptographically signed media provenance metadata. The affected components are the c2pa-web library (version 0.7.1) and the c2pa SDK (version 0.80.1 and earlier), which parse and validate C2PA manifests embedded in images, video, and other media. The root cause is CWE-400 (Uncontrolled Resource Consumption), typical of parsers that fail to bound input size, recursion depth, or allocation during manifest decoding - a malformed or maliciously crafted manifest can drive CPU, memory, or thread usage to exhaustion. The CPE cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covers Adobe-distributed builds of these libraries.
RemediationAI
Patch available per vendor advisory APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html) - upgrade c2pa-web beyond 0.7.1 and the c2pa SDK beyond 0.80.1 to the fixed versions Adobe identifies in that bulletin; the input data does not enumerate the exact fixed version numbers, so consult the advisory directly. Until patched, compensating controls include enforcing strict size limits on uploaded media (e.g., reject files above a known-good threshold before passing them to the parser), running C2PA validation in an isolated worker process or container with CPU and memory cgroup limits so a runaway parse cannot starve the host, and adding request-rate limits on endpoints that trigger manifest parsing. The trade-off is that aggressive size limits may reject legitimate high-resolution provenance-rich assets, and sandboxing adds operational complexity.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35843
GHSA-x2pp-hg54-xgcf