CVE-2026-40339
Out-of-Bounds Read in libgphoto2 Sony PTP Component
Publication date: 2026-04-18
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libgphoto2 | libgphoto2 | to 2.5.33 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in libgphoto2, a camera access and control library, specifically in versions up to and including 2.5.33. It is an out-of-bounds read issue in the function ptp_unpack_Sony_DPD() located in the file camlibs/ptp2/ptp-pack.c at line 842. The function reads a byte called FormFlag without first checking if the read is within the valid bounds of the data buffer. Unlike the standard ptp_unpack_DPD() function, which performs a proper bounds check before reading, the Sony-specific variant omits this check, leading to a potential out-of-bounds read.
How can this vulnerability impact me? :
The vulnerability can lead to an out-of-bounds read, which may cause the application using libgphoto2 to behave unexpectedly or crash (denial of service). According to the CVSS score, it has a moderate severity with a base score of 5.2, indicating it can impact confidentiality (high impact) and availability (low impact), but does not affect integrity. Since the attack vector is physical (AV:P), an attacker would need physical access to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update libgphoto2 to a version that includes the fix, specifically a version after 2.5.33 where commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d has been applied.