CVE-2026-40333
Received Received - Intake

Unbounded Read Vulnerability in libgphoto2 ptp-pack.c Functions

Vulnerability report for CVE-2026-40333, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-07-06
AI Q&A
2026-04-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
libgphoto2 libgphoto2 to 2.5.33 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unbounded reads, which may cause a denial of service (application crash) or potentially expose sensitive information from memory. According to the CVSS score (6.1), the impact includes high confidentiality impact and high availability impact, meaning that confidential data could be exposed and the application could become unavailable.

Mitigation Strategies

To mitigate this vulnerability, update libgphoto2 to a version that includes the patch commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 or later, which fixes the unbounded read issue.

Executive Summary

This vulnerability exists in libgphoto2, a camera access and control library, specifically in versions up to and including 2.5.33. Two functions in the file camlibs/ptp2/ptp-pack.c accept a data pointer but do not receive a length parameter, which causes them to perform unbounded reads. The callers of these functions in ptp_unpack_EOS_events() have the size information (xsize) available but do not pass it along, preventing the functions from validating the read operations against the actual buffer boundaries. This can lead to reading beyond the intended memory buffer.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40333. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart