Description
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.
Published: 2026-04-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in libgphoto2 arises from out-of-bounds memory reads caused by missing length parameters in two unpacking functions. The functions ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() in camlibs/ptp2/ptp-pack.c read data without validating the buffer size, leading to a potential disclosure of arbitrary data in user memory. This flaw corresponds to CWE‑125, indicating an unchecked read beyond a buffer boundary.

Affected Systems

Affected releases include libgphoto2 versions up to and including 2.5.33. The library is widely used for camera access and control, meaning any system that compiles or links against these versions could be vulnerable if it processes data from an EOS camera or utilizes the PTP protocol during event handling.

Risk and Exploitability

The CVSS base score of 6.1 classifies the issue as moderate severity, and the absence of an EPSS score indicates limited publicly known exploitation data. The flaw is not listed in the CISA KEV catalog, suggesting it is not a widely exploited vulnerability. Exploitation would require an attacker able to supply crafted PTP packets to the library, such as through a compromised camera device or a manufacturing environment that can inject data at the transport layer. While the attack vector appears local or device‑centric, the lack of input length checks makes the read boundary validation impossible within the library, so any corrupted payload could leak memory contents to the running process.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libgphoto2 to the latest release (2.5.34 or newer) which includes commit 1817ecead20c2aafa7549dac9619fe38f47b2f53.
  • Rebuild and relink all applications that depend on libgphoto2 against the updated library to activate the fix.
  • If an upgrade is not yet possible, limit or sandbox the library’s exposure by disabling camera functions that trigger the vulnerable PTP routines and isolating the process with strict memory protection controls.

Generated by OpenCVE AI on April 18, 2026 at 08:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.
Title libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:11:11.073Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40333

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:37.120

Modified: 2026-04-18T00:16:37.120

Link: CVE-2026-40333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses