Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by triggering an integer overflow during C2PA content processing. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the bug carries pure availability impact - no data exposure or code execution - but is trivially reachable by anyone who can feed input to the library.
Technical ContextAI
The Content Authenticity Initiative (CAI) Content Credentials stack - Adobe's reference implementation of the C2PA (Coalition for Content Provenance and Authenticity) specification used to bind cryptographic provenance manifests to media - ships as the c2pa Rust crate and the c2pa-web JavaScript/WASM wrapper. CWE-190 (Integer Overflow or Wraparound) at this layer typically arises when a length, offset, or count field parsed from a C2PA manifest, JUMBF box, or embedded asset is multiplied or added without bounds checking, wrapping a size_t/usize value and producing an out-of-bounds read, undersized allocation, or assertion failure that aborts the host process. The affected CPE is cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covering c2pa-web@0.7.1 and the underlying c2pa@0.80.1 and earlier.
RemediationAI
Patch available per vendor advisory APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html); upgrade c2pa-web past 0.7.1 and the c2pa crate past 0.80.1 to the fixed releases listed there, and rebuild any application that bundles them since a host-side dependency bump alone will not propagate into shipped binaries or WASM bundles. If immediate upgrade is not possible, gate C2PA parsing behind a size/type pre-filter that rejects oversized or malformed manifests before they reach the library, run the parser in an isolated worker or subprocess so a crash only kills that worker rather than the whole service, and rate-limit verification endpoints to blunt automated crash loops - trade-offs are added latency, reduced concurrency, and the possibility of false-rejecting legitimate but unusually large manifests.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35850
GHSA-47r4-q5f4-x2qv