CVE-2026-34665 Overview
CVE-2026-34665 is an Uncontrolled Resource Consumption vulnerability in Adobe's Content Authenticity Initiative (CAI) Content Credentials libraries. The flaw affects c2pa versions 0.78.2 and earlier, and c2pa-web versions 0.7.0 and earlier. A remote attacker can exhaust system resources by sending crafted input to applications using the affected libraries. Exploitation requires no authentication and no user interaction. Successful exploitation produces a denial-of-service (DoS) condition that renders the application unavailable to legitimate users. Adobe published the issue in security bulletin APSB26-53 and classified it as [CWE-400].
Critical Impact
Remote, unauthenticated attackers can trigger a denial-of-service condition in any application embedding the affected Adobe C2PA Content Credentials SDK.
Affected Products
- Adobe c2pa (Rust) versions 0.78.2 and earlier
- Adobe c2pa-web (Node.js) versions 0.7.0 and earlier
- Applications and services embedding the Adobe Content Authenticity SDK
Discovery Timeline
- 2026-05-12 - CVE-2026-34665 published to NVD
- 2026-05-15 - Last updated in NVD database
Technical Details for CVE-2026-34665
Vulnerability Analysis
The Adobe C2PA Content Credentials SDK implements the Coalition for Content Provenance and Authenticity (C2PA) specification. The libraries parse and validate provenance manifests embedded in media assets such as images, video, and audio. The vulnerability resides in the parsing logic, where malformed or maliciously structured input is processed without enforcing bounds on memory or CPU usage. An attacker can submit a crafted asset that causes the parser to consume excessive resources, exhausting available memory or CPU cycles. The result is application unavailability for the duration of the attack.
Root Cause
The root cause is classified as [CWE-400] Uncontrolled Resource Consumption. The affected parsing routines lack input size limits, recursion depth checks, or computational complexity bounds. When the library processes a manifest, structural elements scale processing cost in a way that an attacker can amplify with relatively small input. The condition affects both the Rust c2pa crate and the c2pa-web Node.js binding, indicating the defect resides in shared parsing logic rather than language-specific glue code.
Attack Vector
The attack vector is network-based. An attacker submits a malicious media file or manifest to any endpoint that invokes the affected library for verification. This includes content moderation pipelines, publishing workflows, asset ingestion APIs, and web services that validate Content Credentials. No authentication or user interaction is required. Repeated submissions amplify the impact and can take down multi-tenant services. See the Adobe Security Advisory APSB26-53 for technical details.
Detection Methods for CVE-2026-34665
Indicators of Compromise
- Sustained spikes in CPU or memory utilization on services that ingest or verify C2PA-signed media
- Repeated process restarts or out-of-memory (OOM) kills on workers using c2pa or c2pa-web
- Unusual volumes of POST requests carrying media payloads to Content Credentials verification endpoints
- Application logs showing parser timeouts or aborted manifest validation operations
Detection Strategies
- Instrument the SDK call sites with per-request CPU and memory budgets, and alert when budgets are exceeded
- Track request size distribution to Content Credentials endpoints and flag outliers consistent with amplification payloads
- Correlate worker crashes and restart loops with inbound asset uploads at a shared time window
- Inspect application telemetry for repeated invocations of C2PA parsing functions from the same client or IP range
Monitoring Recommendations
- Forward web server, application, and container runtime logs to a centralized analytics platform for correlation
- Establish baselines for parser latency and resource consumption, then alert on sustained deviations
- Monitor reverse proxy logs for clients that submit malformed media at high rates
- Track Adobe security bulletins for follow-up advisories referencing the Content Authenticity SDK
How to Mitigate CVE-2026-34665
Immediate Actions Required
- Inventory all applications and services that bundle c2pa or c2pa-web and identify the installed versions
- Upgrade to the fixed releases published in Adobe Security Advisory APSB26-53
- Restrict unauthenticated access to Content Credentials verification endpoints where business logic permits
- Place rate limits and request size caps in front of any service that invokes the affected SDK
Patch Information
Adobe addressed CVE-2026-34665 in updated releases of the Content Authenticity SDK. Refer to Adobe Security Advisory APSB26-53 for the specific fixed versions of c2pa and c2pa-web and update both the Rust crate and Node.js package across all consuming projects.
Workarounds
- Run C2PA parsing in isolated worker processes with strict memory and CPU cgroups limits to contain resource exhaustion
- Enforce maximum upload sizes for media assets at the reverse proxy or API gateway layer
- Apply per-IP request rate limits to verification endpoints to slow amplification attempts
- Queue verification jobs asynchronously so that parser failures degrade gracefully instead of blocking user-facing requests
# Example: cap memory and CPU for a C2PA verification worker using systemd
[Service]
MemoryMax=512M
CPUQuota=50%
TimeoutStartSec=30
Restart=on-failure
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
