Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local attacker without privileges to exhaust system resources, resulting in a denial-of-service condition. The vulnerability requires no user interaction, meaning it can be triggered programmatically by any process with local access to a system running the affected SDK. No public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
Adobe CAI Content Credentials is an SDK implementing the C2PA (Coalition for Content Provenance and Authenticity) standard, used for embedding and verifying cryptographic provenance metadata in media content. The CPE string cpe:2.3:a:adobe:cai_content_credentials identifies this as an Adobe application-layer component distributed in two package variants: c2pa-web (browser/WebAssembly target) and c2pa (native/server-side target). CWE-400 (Uncontrolled Resource Consumption) indicates the root cause is a failure to impose limits on resource-intensive operations - typically unbounded loops, recursive parsing, or memory allocation triggered by crafted input - allowing an attacker to drive CPU, memory, or I/O to exhaustion without corresponding validation or throttling controls.
RemediationAI
The primary remediation is to upgrade to patched versions per Adobe security advisory APSB26-61, available at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html. The advisory is the authoritative source for specific fixed version numbers, as the input data does not independently confirm exact fix versions beyond noting that 0.7.1 (c2pa-web) and 0.80.1 (c2pa) are the last vulnerable releases - consult APSB26-61 for confirmed patched releases before upgrading. As a compensating control where immediate patching is not possible, restrict access to the C2PA content processing pipeline so that only trusted, validated input reaches the SDK, reducing the attacker's ability to supply resource-exhausting payloads. Additionally, deploy process-level resource limits (e.g., ulimit, container cgroup memory and CPU constraints) around services invoking the SDK to contain the blast radius of any exploitation attempt - note this does not eliminate the vulnerability but limits its impact to the sandboxed process rather than the host system.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35848
GHSA-vr3p-xmf5-v63x