CVE-2026-40336
Received Received - Intake
Memory Leak in libgphoto2 ptp_unpack_Sony_DPD Function

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40336
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libgphoto2 libgphoto2 to 2.5.33 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in libgphoto2 is a memory leak that affects availability but does not impact confidentiality or integrity.

Given the CVSS score indicates no confidentiality or integrity impact, this vulnerability is unlikely to directly affect compliance with standards such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, since availability is affected, organizations with strict uptime or availability requirements might consider this relevant, but no direct compliance violation is indicated.

Executive Summary

This vulnerability is a memory leak in the libgphoto2 library, specifically in the function ptp_unpack_Sony_DPD() found in the ptp-pack.c file. When processing a secondary enumeration list introduced in 2024 and later Sony cameras, the function allocates new memory without freeing previously allocated memory. This causes the original array and any string values it contains to be leaked every time a property descriptor is parsed.

Impact Analysis

The impact of this vulnerability is a memory leak, which means that the affected software will consume increasing amounts of memory over time when processing certain camera data. This can lead to degraded performance or potentially cause the application to crash or become unstable due to exhaustion of available memory.

Mitigation Strategies

To mitigate this vulnerability, update libgphoto2 to a version later than 2.5.33 where the issue is fixed (commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6). This will prevent the memory leak in the ptp_unpack_Sony_DPD() function.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40336. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart