Description
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.
Published: 2026-04-17
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

The libgphoto2 library suffers from out-of-bounds memory reads caused by two unpacking functions that accept a data pointer but omit a length parameter. Because callers provide no explicit size check, the functions read beyond the allocated buffer, potentially exposing arbitrary data from the process’s memory space. This flaw corresponds to CWE‑125 and CWE‑130 and can lead to disclosure of confidential information if exploited.

Affected Systems

gphoto's libgphoto2 library releases up to and including version 2.5.33 are vulnerable. The library is widely used for camera access and control, meaning that any application that links against these builds or compiles them into a binary is at risk if it processes data from a PTP‑compliant camera.

Risk and Exploitability

The CVSS base score of 6.1 classifies the issue as moderate severity. The EPSS score of < 1% indicates that the likelihood of public exploitation is very low, and the flaw is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is local or device‑centric: an attacker must be able to supply crafted PTP packets to the library, such as through a malicious camera firmware, a compromised camera, or a network conduit that can inject data at the transport layer. With the missing size validation, any malformed payload could read beyond buffer boundaries and leak memory contents to the running process.

Generated by OpenCVE AI on April 22, 2026 at 07:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch referenced by commit 1817ecead20c2aafa7549dac9619fe38f47b2f53, which adds missing length checks that address CWE‑125 and CWE‑130 by enforcing proper bounds checks on data reads.
  • Rebuild and relink all applications that depend on libgphoto2 against the updated library to ensure the bounds‑validation fixes are active.
  • If an upgrade cannot be performed immediately, restrict or disable camera functions that invoke the vulnerable PTP routines, isolate the process with sandboxing or strict security controls, and monitor for anomalous memory accesses to mitigate exploitation of the out‑of‑bounds read.

Generated by OpenCVE AI on April 22, 2026 at 07:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-130
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gphoto
Gphoto libgphoto2
Vendors & Products Gphoto
Gphoto libgphoto2
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.
Title libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Gphoto Libgphoto2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:56:44.091Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40333

cve-icon Vulnrichment

Updated: 2026-04-20T14:51:41.632Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:37.120

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40333

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:11:11Z

Links: CVE-2026-40333 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:45:11Z

Weaknesses