CVE-2026-40338
Received Received - Intake
Out-of-Bounds Read in libgphoto2 PTP Sony Enumeration

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40338
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libgphoto2 libgphoto2 to 2.5.33 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libgphoto2, a camera access and control library, in versions up to and including 2.5.33. It is an out-of-bounds read issue in the PTP_DPFF_Enumeration case of the function ptp_unpack_Sony_DPD() located in camlibs/ptp2/ptp-pack.c at line 856.

The problem occurs because the function reads a 2-byte enumeration count (N) using dtoh16o(data, *poffset) without first verifying that there are at least 2 bytes remaining in the buffer. This check is present in the standard ptp_unpack_DPD() function but was omitted in this Sony-specific variant by oversight.

This flaw can lead to reading memory outside the intended buffer bounds, which is a classic out-of-bounds read vulnerability.

Impact Analysis

The vulnerability has a CVSS v3.1 base score of 5.2, indicating a moderate severity. It requires physical access (AV:P) but has low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N).

The impact includes high confidentiality impact (C:H) and low availability impact (A:L), with no integrity impact (I:N). This means an attacker with physical access could potentially read sensitive memory contents, leading to information disclosure.

Since the vulnerability involves an out-of-bounds read, it could be exploited to leak sensitive data from memory, which might compromise confidentiality.

Mitigation Strategies

To mitigate this vulnerability, update libgphoto2 to a version later than 2.5.33 where the issue has been fixed by commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40338. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart