{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40338", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.358Z", "datePublished": "2026-04-17T23:40:10.097Z", "dateUpdated": "2026-04-17T23:40:10.097Z"}, "containers": {"cna": {"title": "libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf"}, {"name": "https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:40:10.097Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue."}], "source": {"advisory": "GHSA-2hwp-w84q-27hf", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue."}], "id": "CVE-2026-40338", "lastModified": "2026-04-18T00:16:37.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.810", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/commit/3b9f9696be76ae51dca983d9dd8ce586a2561845"}, {"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:46:23.314653+00:00", "value": {"mitigation_remediation": ["Upgrade libgphoto2 to the latest release or apply the patch commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 to eliminate the unchecked buffer read.", "Ensure that all dependent software references the updated library and restart services to load the patched binary.", "If an immediate update is not feasible, restrict access to camera devices by limiting permissions to trusted users or disabling PTP features until the library can be updated."], "summary": {"action": "Patch Now", "impact": "Information disclosure via out-of-bounds read"}, "threat_synthesis": {"affected_systems": "Any installation of libgphoto2 for the gphoto vendor with a version 2.5.33 or earlier is affected. Software that depends on this library and communicates with Sony cameras via the PTP_DPFF_Enumeration content will also be vulnerable. Public releases newer than 2.5.33 contain the fix and are not impacted.", "description_and_impact": "The vulnerability stems from the libgphoto2 camera library, specifically the ptp_unpack_Sony_DPD() routine in ptp-pack.c. In versions up to 2.5.33 the function reads a 2\u2011byte enumeration count without first verifying that the buffer contains two bytes. This unchecked read can expose arbitrary memory contents from the host process that handles camera communication, constituting a classic out-of-bounds read flaw.", "risk_and_exploitability": "The CVSS score of 5.2 indicates a medium severity threat. Exploitation would require an attacker to supply crafted PTP commands to the library, typically by interacting with a connected camera device or through a vulnerable camera control application. Because the flaw is an out-of-bounds read rather than a format\u2011string or privilege\u2011escalation bug, the risk of arbitrary code execution is low, but the potential to leak sensitive data is present. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting a moderate but not imminent exploitation risk. The likely attack vector is a local or device-based attack where the attacker can send compromised data to the library."}}}}, "created": "2026-04-18T09:00:05.890435+00:00", "updated": "2026-04-18T09:00:05.890446+00:00", "vendors": []}