Bulletin ID
Last updated on
Dec 13, 2022
Security updates available for Adobe Content Authenticity Initiative (CAI) - Content Credentials | APSB26-53
|
|
Date Published |
Priority |
|
APSB26-53 |
May 12, 2026 |
3 |
Summary
Adobe has released security updates for Adobe Content Authenticity Initiative (CAI) - Content Credentials. This update addresses critical and important vulnerability that could result in application denial-of-service.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected versions
| Product | Affected version | Platform |
|---|---|---|
| Content Credentials JS SDK | @contentauth/c2pa-web@0.7.0 | Windows, macOS, Linux, iOS, Android |
| Content Credentials Rust SDK | c2pa-v0.78.2 | Windows, macOS, Linux, iOS, Android |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:
| Product | Updated version | Platform | Priority rating | Availability |
|---|---|---|---|---|
| Content Credentials JS SDK |
@contentauth/c2pa-web@0.7.1 | Windows, macOS, Linux, iOS, Android | 3 | Release Notes |
| Content Credentials Rust SDK | c2pa-v0.80.1 | Windows, macOS, Linux, iOS, Android | 3 | Release Notes |
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34665 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34666 |
| Integer Underflow (Wrap or Wraparound) (CWE-191) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34667 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34668 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34669 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34670 |
| Integer Overflow or Wraparound (CWE-190) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34671 |
| Integer Underflow (Wrap or Wraparound) (CWE-191) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34672 |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34673 |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34677 |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34678 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34679 |
| Integer Overflow or Wraparound (CWE-190) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-34680 |
Acknowledgments
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.
- bau1u - CVE-2026-34665, CVE-2026-34666, CVE-2026-34667, CVE-2026-34668, CVE-2026-34669, CVE-2026-34670, CVE-2026-34671, CVE-2026-34672, CVE-2026-34673, CVE-2026-34677, CVE-2026-34678, CVE-2026-34679, CVE-2026-34680
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check us out here: https://hackerone.com/adobe.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com
