CVE-2026-34667 - Vulnerability Details

- CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)

Description

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Published: 2026-05-12

Score: 6.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An integer underflow (wrap or wraparound) in CAI Content Credentials could allow an attacker to force the application to crash, resulting in a denial‑of‑service. The flaw sits in the parsing logic that does not enforce bounds on numeric values, and it is classified as CWE‑191. No user interaction is required to trigger it; an attacker can simply supply malformed data to the component.

Affected Systems

Adobe CAI Content Credentials versions 0.78.2, 0.7.0, and all earlier releases are affected. These versions are included in the Adobe Content Authenticity SDK, which is used by publishers to verify the integrity of digital content.

Risk and Exploitability

The CVSS score of 6.2 indicates that the vulnerability is of moderate severity. The EPSS score is not available, and it is not listed in CISA’s KEV catalog, so the current probability of exploitation is unknown. However, because the flaw can be triggered without any user interaction, it could be exploited remotely or locally by an attacker who can provide crafted input. The resulting denial‑of‑service could disrupt content delivery or transactional systems that rely on the SDK.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

CAI Content Credentials

affected

Version	Status	Constraints
`0`	affected	≤ 0.7.0

Configuration 1 [-]

OR	cpe:2.3:a:adobe:c2pa::::::rust::*
	cpe:2.3:a:adobe:c2pa-web::::::node.js::*

No data.

Vendor Product Confidence Versions

Adobe

Cai Content Credentials

100%

Version	Status	Scheme	Platform
`[0,0.7.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Adobe CAI Content Credentials to the latest released version where the integer underflow is fixed.
If a patch cannot be applied immediately, disable or restrict any functionality that processes user‑controlled input within the SDK, or replace vulnerable code paths with safer alternatives.
Configure application monitoring to detect unexpected crashes and ensure graceful degradation, such that the failing component does not bring down the entire system.

Generated by OpenCVE AI on May 12, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-53.html

History

Fri, 15 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe c2pa Adobe c2pa-web
CPEs		cpe:2.3:a:adobe:c2pa-web::::::node.js::* cpe:2.3:a:adobe:c2pa::::::rust::*
Vendors & Products		Adobe c2pa Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe cai Content Credentials
Vendors & Products		Adobe Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Title		CAI Content Credentials \| Integer Underflow (Wrap or Wraparound) (CWE-191)
Weaknesses		CWE-191
References		https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-53.html
Metrics		cvssV3_1 `{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-05-12T20:03:52.841Z

Updated: 2026-05-12T20:24:12.189Z

Reserved: 2026-03-30T17:30:36.494Z

Link: CVE-2026-34667

Vulnrichment

Updated: 2026-05-12T20:24:07.604Z

NVD

Status : Analyzed

Published: 2026-05-12T20:16:37.250

Modified: 2026-05-15T14:13:25.393

Link: CVE-2026-34667

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T10:36:03Z

Weaknesses

CWE-191

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object