SB2026071529 - Multiple vulnerabilities in Content Credentials SDKs



SB2026071529 - Multiple vulnerabilities in Content Credentials SDKs

Published: July 15, 2026

Security Bulletin ID SB2026071529
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Integer overflow (CVE-ID: CVE-2026-34711)

CWE-ID: CWE-190 - Integer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to integer overflow or wraparound in Content Credentials Rust SDK when parsing input. A remote attacker can send specially crafted input to cause a denial of service.


2) Input validation error (CVE-ID: CVE-2026-34712)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in Content Credentials Rust SDK when parsing input. A remote attacker can send specially crafted input to cause a denial of service.


3) Resource exhaustion (CVE-ID: CVE-2026-34713)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Content Credentials Rust SDK when parsing input. A remote attacker can send specially crafted input to cause a denial of service.


4) Resource exhaustion (CVE-ID: CVE-2026-47902)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Content Credentials Rust SDK when parsing input locally. A remote attacker can supply specially crafted input to cause a denial of service.


5) Input validation error (CVE-ID: CVE-2026-47903)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in Content Credentials Rust SDK when parsing input locally. A remote attacker can supply specially crafted input to cause a denial of service.


6) Resource exhaustion (CVE-ID: CVE-2026-47904)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Content Credentials Rust SDK when parsing input locally. A remote attacker can supply specially crafted input to cause a denial of service.


7) Resource exhaustion (CVE-ID: CVE-2026-47905)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in Content Credentials Rust SDK when parsing input locally. A remote attacker can supply specially crafted input to cause a denial of service.


8) Path traversal (CVE-ID: CVE-2026-34657)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform an arbitrary file system write.

The vulnerability exists due to path traversal in Content Credentials Rust SDK when handling crafted file paths. A remote attacker can trick the victim into opening crafted content to perform an arbitrary file system write.

User interaction is required to open crafted content.


Remediation

Install update from vendor's website.