CVE-2026-47905 Overview
CVE-2026-47905 affects Adobe's Content Authenticity Initiative (CAI) Content Credentials libraries, specifically c2pa-web@0.7.1, c2pa-v0.80.1, and earlier versions. The flaw is an Uncontrolled Resource Consumption weakness [CWE-400] that allows a local attacker to exhaust system resources. Successful exploitation produces a denial-of-service condition in the affected application. The issue requires no user interaction and no privileges to trigger. Adobe documented the vulnerability in security advisory APSB26-61.
Critical Impact
A local attacker can trigger uncontrolled resource consumption in the C2PA libraries, causing the host application processing Content Credentials to become unresponsive.
Affected Products
- CAI Content Credentials c2pa-web@0.7.1 and earlier
- CAI Content Credentials c2pa-v0.80.1 and earlier
- Applications and tools embedding the affected C2PA libraries
Discovery Timeline
- 2026-06-09 - CVE-2026-47905 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-47905
Vulnerability Analysis
The CAI Content Credentials libraries parse and validate C2PA (Coalition for Content Provenance and Authenticity) manifests embedded in media assets. The vulnerability resides in the resource handling paths of c2pa-web and the c2pa core library. When the library processes specially crafted input, it fails to bound the resources it consumes during parsing or validation. Memory, CPU, or file handles can be exhausted until the host process becomes unresponsive. The flaw is classified under Uncontrolled Resource Consumption [CWE-400] and affects availability only. Confidentiality and integrity of processed assets remain intact.
Root Cause
The library lacks proper limits on input size, recursion depth, or allocation count when handling Content Credentials data structures. Without these bounds, an adversary-supplied manifest can drive the parser into excessive allocations or processing loops. This pattern is common in libraries that decode nested or compressed structured data without enforcing strict resource budgets.
Attack Vector
The attack vector is local. An attacker supplies a malformed or oversized C2PA-tagged asset to an application that loads the vulnerable library. Processing the asset consumes available resources until the application terminates or hangs. The CVSS vector AV:L/AC:L/PR:N/UI:N indicates no privileges or user interaction are required once the file reaches the parser. Refer to the Adobe Security Advisory APSB26-61 for vendor-confirmed technical details.
Detection Methods for CVE-2026-47905
Indicators of Compromise
- Repeated crashes or hangs in processes that link c2pa-web or c2pa core libraries
- Sustained CPU saturation or rapid memory growth in applications parsing C2PA manifests
- Application logs reporting allocation failures or timeouts during Content Credentials validation
Detection Strategies
- Inventory hosts and build artifacts for the affected c2pa-web@0.7.1 and c2pa-v0.80.1 package versions using software composition analysis
- Monitor endpoint telemetry for processes that crash or restart after handling media files with embedded provenance manifests
- Capture and review crash dumps to confirm exhaustion patterns originating in C2PA parsing routines
Monitoring Recommendations
- Alert on abnormal resource utilization by processes that handle untrusted media uploads
- Track package versions in CI/CD pipelines and flag builds that include vulnerable C2PA library releases
- Correlate file ingestion events with process termination events in centralized logging
How to Mitigate CVE-2026-47905
Immediate Actions Required
- Identify all applications and services that depend on c2pa-web or the c2pa core library
- Upgrade to the fixed versions published in Adobe Security Advisory APSB26-61
- Restrict who can submit media files to systems performing Content Credentials processing until patched
Patch Information
Adobe addressed CVE-2026-47905 in updated releases of the CAI Content Credentials SDK. Versions later than c2pa-web@0.7.1 and c2pa-v0.80.1 contain the fix. Consult APSB26-61 for the specific fixed version numbers and upgrade guidance.
Workarounds
- Enforce file size limits on assets accepted by applications that invoke the C2PA libraries
- Run Content Credentials parsing in isolated worker processes with memory and CPU limits to contain resource exhaustion
- Disable optional Content Credentials processing for untrusted input sources until the patched library is deployed
# Configuration example
# Limit resource usage for processes invoking C2PA parsing on Linux
systemd-run --scope -p MemoryMax=512M -p CPUQuota=50% \
/usr/local/bin/your-c2pa-processor --input /path/to/asset
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
