CVE-2026-40338 MEDIUM

CVE-2026-40338: libgphoto2 has OOB read in ptp_unpack_Sony_DPD() enumeration count parsing in ptp-pack.c

Vendor Gphoto
Product libgphoto2
Weakness CWE-125
Published April 17, 2026
Last update April 20, 2026

CVSS base score

5.2/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.

Key dates

02Disclosure timeline

April 17, 2026 CVE published
April 20, 2026 Record updated