Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local, unprivileged attacker to exhaust system resources and trigger an application-level denial-of-service condition. The CVSS vector confirms local attack vector with no privileges required and no user interaction, meaning any local process or user context capable of invoking the SDK can trigger the condition. No public exploit code or CISA KEV listing has been identified at time of analysis, and the availability impact is rated High with no confidentiality or integrity exposure.
Technical ContextAI
The affected library implements the C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying content credentials - cryptographic provenance metadata in media files. Adobe's CAI Content Credentials SDK (cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:*) ships in two package variants: a Rust-based core library (c2pa-rs, versioned c2pa-v0.80.1 and earlier) and a WebAssembly/JavaScript wrapper (c2pa-web@0.7.1 and earlier). CWE-400 (Uncontrolled Resource Consumption) indicates the SDK fails to enforce limits on memory, CPU, or I/O when parsing or validating content credential payloads - a class of flaw commonly triggered by deeply nested structures, large buffers, or recursive parsing loops embedded in crafted media manifests. Because the SDK is a processing library rather than a network service, exploitation is scoped to the local process invoking it.
RemediationAI
Patch available per Adobe advisory APSB26-61 - consult https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the exact fixed package versions for both c2pa-web and c2pa crate releases, as the patched version numbers were not specified in the available input data. For environments where immediate upgrade is not possible, a practical compensating control is to validate and limit the size of C2PA manifest payloads before passing them to the SDK (e.g., reject inputs exceeding a defined byte threshold), which reduces - but does not eliminate - the resource exhaustion attack surface. Additionally, running the SDK in an isolated process with OS-level resource limits (ulimit on Linux, job objects on Windows) can contain the blast radius to a single worker rather than the host system. Note that resource-limit sandboxing does not prevent the crash but prevents it from affecting adjacent services.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35846
GHSA-89fj-wmjh-6xfj