Description
CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected Adobe CAI Content Credentials releases (c2pa-web@0.7.0, c2pa-v0.78.2, and earlier) contain an integer underflow that can be triggered by crafted input (inferred from limited data). The wraparound allows a negative value to be processed, causing allocation logic to fail and the application to crash. This results in a denial-of-service condition without requiring user interaction. The weakness is CWE-191.

Affected Systems

Adobe CAI Content Credentials versions 0.78.2, 0.7.0 and all earlier releases are affected. These versions are used to sign and verify content in Adobe applications that rely on the Content Authenticity SDK.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity, but the exploit does not require user interaction, so an attacker could potentially trigger the failure from any vector that can send crafted input or configuration to the software (inferred from limited data). The EPSS score is 0.00012, indicating a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying it has not yet been widely observed in the wild. Nonetheless, because it results in a program crash, any exploitation would immediately disrupt availability and should be treated with high priority.

Generated by OpenCVE AI on June 9, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe CAI Content Credentials to the latest version that removes the integer underflow bug.
  • If an upgrade is not possible, disable or restrict any parsing of external data that might trigger the underflow path in older releases.
  • Continuously monitor application logs for unexpected termination events and ensure that automated monitoring alerts are in place to detect a potential denial-of-service incident.

Generated by OpenCVE AI on June 9, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction. CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe c2pa
Adobe c2pa-web
CPEs cpe:2.3:a:adobe:c2pa-web:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adobe:c2pa:*:*:*:*:*:rust:*:*
Vendors & Products Adobe c2pa
Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe cai Content Credentials
Vendors & Products Adobe
Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
Title CAI Content Credentials | Integer Underflow (Wrap or Wraparound) (CWE-191)
Weaknesses CWE-191
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T21:38:43.571Z

Reserved: 2026-03-30T17:30:36.495Z

Link: CVE-2026-34672

cve-icon Vulnrichment

Updated: 2026-05-12T20:23:03.136Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T20:16:37.807

Modified: 2026-06-17T10:39:25.337

Link: CVE-2026-34672

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses
  • CWE-191

    Integer Underflow (Wrap or Wraparound)