CVE-2026-40339
Received Received - Intake
Out-of-Bounds Read in libgphoto2 Sony PTP Component

Publication date: 2026-04-18

Last updated on: 2026-04-18

Assigner: GitHub, Inc.

Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686–687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-18
Last Modified
2026-04-18
Generated
2026-06-16
AI Q&A
2026-04-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40339
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libgphoto2 libgphoto2 to 2.5.33 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in libgphoto2, a camera access and control library, specifically in versions up to and including 2.5.33. It is an out-of-bounds read issue in the function ptp_unpack_Sony_DPD() located in the file camlibs/ptp2/ptp-pack.c at line 842. The function reads a byte called FormFlag without first checking if the read is within the valid bounds of the data buffer. Unlike the standard ptp_unpack_DPD() function, which performs a proper bounds check before reading, the Sony-specific variant omits this check, leading to a potential out-of-bounds read.

Impact Analysis

The vulnerability can lead to an out-of-bounds read, which may cause the application using libgphoto2 to behave unexpectedly or crash (denial of service). According to the CVSS score, it has a moderate severity with a base score of 5.2, indicating it can impact confidentiality (high impact) and availability (low impact), but does not affect integrity. Since the attack vector is physical (AV:P), an attacker would need physical access to exploit this vulnerability.

Mitigation Strategies

To mitigate this vulnerability, update libgphoto2 to a version that includes the fix, specifically a version after 2.5.33 where commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d has been applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart