CVE-2026-40338
Received Received - Intake
Out-of-Bounds Read in libgphoto2 PTP Sony Enumeration

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-05-07
AI Q&A
2026-04-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libgphoto2 libgphoto2 to 2.5.33 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in libgphoto2, a camera access and control library, in versions up to and including 2.5.33. It is an out-of-bounds read issue in the PTP_DPFF_Enumeration case of the function ptp_unpack_Sony_DPD() located in camlibs/ptp2/ptp-pack.c at line 856.

The problem occurs because the function reads a 2-byte enumeration count (N) using dtoh16o(data, *poffset) without first verifying that there are at least 2 bytes remaining in the buffer. This check is present in the standard ptp_unpack_DPD() function but was omitted in this Sony-specific variant by oversight.

This flaw can lead to reading memory outside the intended buffer bounds, which is a classic out-of-bounds read vulnerability.


How can this vulnerability impact me? :

The vulnerability has a CVSS v3.1 base score of 5.2, indicating a moderate severity. It requires physical access (AV:P) but has low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N).

The impact includes high confidentiality impact (C:H) and low availability impact (A:L), with no integrity impact (I:N). This means an attacker with physical access could potentially read sensitive memory contents, leading to information disclosure.

Since the vulnerability involves an out-of-bounds read, it could be exploited to leak sensitive data from memory, which might compromise confidentiality.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update libgphoto2 to a version later than 2.5.33 where the issue has been fixed by commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart