CVE-2026-47905: Adobe C2PA Resource Exhaustion Denial of Service Vulnerability
A resource exhaustion vulnerability exists in Adobe's Content Credentials (C2PA) library that allows an attacker to consume excessive system resources and crash an application without requiring any user action. The vulnerability affects C2PA Web version 0.7.1 and earlier, as well as C2PA version 0.80.1 and earlier. An unauthenticated attacker with local access could trigger the issue remotely through the affected library, leading to a denial-of-service condition.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47905 is an Uncontrolled Resource Consumption vulnerability (CWE-400) in Adobe's C2PA content credentials library. The flaw permits an attacker to exhaust system memory or compute resources by sending specially crafted inputs to the library without authentication or user interaction. The vulnerability exists in [email protected] and [email protected] and earlier versions. With a CVSS v3.1 score of 6.2 (MEDIUM), the attack vector is local, requires no privileges, and causes high availability impact while preserving confidentiality and integrity.
Business impact
Applications embedding C2PA for content authentication and credential management become susceptible to availability disruptions. A successful exploit could render dependent services unresponsive, affecting digital asset verification workflows, media authenticity verification pipelines, and any system relying on C2PA for tamper detection. Organizations using C2PA in production environments face operational risk if the library is exposed to untrusted input, whether through web services, content processing jobs, or integration points.
Affected systems
The vulnerability impacts Adobe C2PA and C2PA-Web libraries at version 0.80.1 and earlier for the core library, and 0.7.1 and earlier for the web variant. Any application or service that depends on these libraries for content credential processing is affected. This includes web applications, backend content verification systems, and desktop applications that bundle C2PA for authenticity checks.
Exploitability
The vulnerability requires local access but no authentication or user interaction, making it exploitable by any local process or user on the system. The attack surface is broad if C2PA is exposed through APIs, web services, or automated content processing pipelines that accept external input. However, the absence from the CISA Known Exploited Vulnerabilities (KEV) catalog indicates no confirmed active exploitation in the wild at this time.
Remediation
Upgrade Adobe C2PA and C2PA-Web libraries to versions newer than 0.80.1 and 0.7.1 respectively. Verify the specific patched versions in Adobe's security advisories. Additionally, implement input validation and rate limiting on any interfaces that accept content for C2PA credential processing. Where feasible, restrict C2PA processing to trusted or pre-validated content sources to minimize the attack surface.
Patch guidance
Check Adobe's security updates for C2PA and C2PA-Web. Update c2pa-web to a version greater than 0.7.1 and the core c2pa library to a version greater than 0.80.1. Consult the vendor advisory for specific patched version numbers and deployment procedures. Test patches in non-production environments before rolling out broadly, particularly for applications where C2PA is a critical component of content verification.
Detection guidance
Monitor for abnormal resource consumption (CPU, memory) in processes using C2PA, particularly those handling untrusted or external content. Implement logging and alerting on content processing pipeline errors and timeouts. Use application performance monitoring (APM) tools to detect sudden spikes in resource usage correlated with content credential processing. Review access logs for unusual patterns in content submission or processing requests that might indicate attack probing.
Why prioritize this
While the CVSS score is MEDIUM (6.2), prioritization should be elevated for organizations where C2PA is embedded in customer-facing or critical backend services. The no-interaction, no-authentication attack vector and high availability impact make this a concern for service reliability. The absence from the KEV catalog suggests emerging rather than actively exploited threats, providing a window for proactive patching before mass exploitation becomes common.
Risk score, explained
The CVSS v3.1 score of 6.2 reflects a medium-severity denial-of-service vulnerability with local attack vector. The score emphasizes high availability impact (A:H) but no confidentiality or integrity compromise. Organizations should map internal risk based on deployment context: a vulnerability in a library handling untrusted external content poses greater risk than one in tightly controlled internal-only systems. The local vector does not diminish risk for web services or APIs that expose the functionality.
Frequently asked questions
Do I need to patch immediately if C2PA is only used for internal, trusted content?
Lower urgency applies to internal-only deployments with strict access controls. However, if any external input or user-supplied content reaches C2PA processing—even indirectly—patch within your normal cycle. If C2PA is used in a shared or multi-tenant environment, patch sooner to prevent lateral attack vectors.
What versions are safe?
Verify with Adobe's official security advisory for the exact safe versions. Any c2pa-web version newer than 0.7.1 and any core c2pa version newer than 0.80.1 should be considered. Do not assume the next minor or patch release is patched without confirmation from the vendor.
Does this vulnerability require the attacker to be on the same machine?
Yes, the local (L) attack vector means the attacker needs local system access. However, in cloud environments, containerized deployments, or shared hosting, 'local' may be easier to achieve. If C2PA is exposed through a remote API or web service, the practical barrier is lower than it initially appears.
Is there a workaround if I cannot patch immediately?
Implement strict input validation and size limits on content fed to C2PA. Rate-limit or throttle content processing requests. If possible, isolate C2PA processing to a containerized environment with resource caps (CPU, memory) to prevent system-wide denial-of-service. These measures reduce but do not eliminate risk; patching is the definitive remediation.
This analysis is based on publicly disclosed vulnerability data as of the publication date. CVSS scores, affected versions, and patch availability are derived from official sources; verify all remediation steps against the vendor's security advisory before deployment. This document does not constitute legal or compliance advice. Organizations should assess risk within their own operational and regulatory context. No exploit code or weaponized details are provided. Reference official Adobe security channels for the most current patch information and deployment recommendations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47902MEDIUMCAI Content Credentials Resource Exhaustion Denial-of-Service
- CVE-2026-47904MEDIUMCAI Content Credentials Resource Exhaustion Denial-of-Service
- CVE-2026-34713HIGHAdobe CAI Content Credentials Denial-of-Service Vulnerability
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification