How is CVE-2026-34711 exploited?

Network reachability (required): The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service from a remote host to deliver the malicious payload. Authentication (not-required): No credentials or account of any kind are needed; the attacker can interact with the service as an unauthenticated party. Victim interaction (not-required): The exploit completes without any action from a user or operator of the affected system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-34711?

Crashes the affected application process, taking it offline and making any features backed by the CAI Content Credentials library unavailable. Repeated requests can keep the service in a crash loop, preventing recovery without operator intervention or traffic filtering. Any downstream workflows that depend on content credential verification (such as provenance checks or media authenticity pipelines) are disrupted for the duration of the outage.

Back to search

HIGHCVE-2026-34711Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34711: CAI Content Credentials | Integer Overflow or Wraparound (CWE-190)

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An integer overflow vulnerability in Adobe's CAI Content Credentials library (c2pa-v0.80.1 and earlier, c2pa-web@0.7.1 and earlier) is reachable over the network without any authentication or user interaction. An attacker sends a specially crafted request that triggers an arithmetic wraparound in the library's integer handling, causing the application to crash. Successful exploitation results in a denial-of-service condition, taking the affected service offline. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched rebuild the moment upstream releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the affected c2pa library versions.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 HIGH using the published v3.1 vector and applies per-environment compliance policy weighting to route it to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe or the CAI project ships a remediated release. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to reduce exposure.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, meaning an attacker must be able to reach the service from a remote host to deliver the malicious payload.
AuthenticationNot required
No credentials or account of any kind are needed; the attacker can interact with the service as an unauthenticated party.
Victim interactionNot required
The exploit completes without any action from a user or operator of the affected system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Crashes the affected application process, taking it offline and making any features backed by the CAI Content Credentials library unavailable.
Repeated requests can keep the service in a crash loop, preventing recovery without operator intervention or traffic filtering.
Any downstream workflows that depend on content credential verification (such as provenance checks or media authenticity pipelines) are disrupted for the duration of the outage.

How HarborGuard Handles This

Available on HarborGuard: once an image containing c2pa-v0.80.1 or earlier (or c2pa-web@0.7.1 or earlier) is scanned, HarborGuard flags it as affected and surfaces the finding with CVSS 7.5 HIGH severity. Because no upstream fix exists today, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as Adobe or the CAI project publishes a remediated version. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available. In the interim, HarborGuard can surface network-policy isolation recommendations to restrict inbound access to services running the affected library, limiting the pool of hosts that can reach the vulnerable endpoint and reducing the practical attack surface until a patch ships.

See how HarborGuard automates this

Affected packages

Adobe / CAI Content Credentials
≤ c2pa-v0.80.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

helpx.adobe.com

Metrics

Get notified