Description
CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier contain an integer underflow (wrap or wraparound) vulnerability that can cause the application to crash, resulting in a denial‑of‑service condition. Based on the description, it is inferred that the flaw originates from insufficient bounds checking in the parsing logic of numeric values, and it is classified as CWE‑191. Importantly, the vulnerability can be triggered without user interaction; an attacker can supply crafted input to the component to induce the crash.

Affected Systems

Adobe CAI Content Credentials versions 0.7.0, 0.78.2, and all earlier releases are affected. These versions are integrated into the Adobe Content Authenticity SDK, which publishers use to verify the integrity of digital content.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. The EPSS score is less than 1 % and the vulnerability is not listed in CISA’s KEV catalog, so the likelihood of exploitation is low but uncertain. Because no user interaction is required, an attacker could trigger the flaw remotely by supplying malicious data to an exposed component, or locally if the attacker can directly supply input, potentially disrupting content delivery or transactional systems that rely on the SDK.

Generated by OpenCVE AI on June 9, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe CAI Content Credentials to the latest released version where the integer underflow is fixed.
  • If a patch cannot be applied immediately, disable or restrict any functionality that processes user‑controlled input within the SDK, or replace vulnerable code paths with safer alternatives.
  • Configure application monitoring to detect unexpected crashes and ensure graceful degradation, so the failing component does not bring down the entire system.

Generated by OpenCVE AI on June 9, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe c2pa
Adobe c2pa-web
CPEs cpe:2.3:a:adobe:c2pa-web:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adobe:c2pa:*:*:*:*:*:rust:*:*
Vendors & Products Adobe c2pa
Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe cai Content Credentials
Vendors & Products Adobe
Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Title CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T21:39:30.387Z

Reserved: 2026-03-30T17:30:36.494Z

Link: CVE-2026-34667

cve-icon Vulnrichment

Updated: 2026-05-12T20:24:07.604Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T20:16:37.250

Modified: 2026-06-17T10:39:24.823

Link: CVE-2026-34667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)