Skip to main content

CAI Content Credentials EUVDEUVD-2026-35850

| CVE-2026-34711 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-06-09 adobe GHSA-47r4-q5f4-x2qv
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 09, 2026 - 22:22 vuln.today
CVE Published
Jun 09, 2026 - 21:21 nvd
HIGH 7.5

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by triggering an integer overflow during C2PA content processing. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N) and no public exploit identified at time of analysis, the bug carries pure availability impact - no data exposure or code execution - but is trivially reachable by anyone who can feed input to the library.

Technical ContextAI

The Content Authenticity Initiative (CAI) Content Credentials stack - Adobe's reference implementation of the C2PA (Coalition for Content Provenance and Authenticity) specification used to bind cryptographic provenance manifests to media - ships as the c2pa Rust crate and the c2pa-web JavaScript/WASM wrapper. CWE-190 (Integer Overflow or Wraparound) at this layer typically arises when a length, offset, or count field parsed from a C2PA manifest, JUMBF box, or embedded asset is multiplied or added without bounds checking, wrapping a size_t/usize value and producing an out-of-bounds read, undersized allocation, or assertion failure that aborts the host process. The affected CPE is cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covering c2pa-web@0.7.1 and the underlying c2pa@0.80.1 and earlier.

RemediationAI

Patch available per vendor advisory APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html); upgrade c2pa-web past 0.7.1 and the c2pa crate past 0.80.1 to the fixed releases listed there, and rebuild any application that bundles them since a host-side dependency bump alone will not propagate into shipped binaries or WASM bundles. If immediate upgrade is not possible, gate C2PA parsing behind a size/type pre-filter that rejects oversized or malformed manifests before they reach the library, run the parser in an isolated worker or subprocess so a crash only kills that worker rather than the whole service, and rate-limit verification endpoints to blunt automated crash loops - trade-offs are added latency, reduced concurrency, and the possibility of false-rejecting legitimate but unusually large manifests.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

EUVD-2026-35850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy