Description
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
Published: 2026-04-17
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via out‑of‑bounds read
Action: Apply patch
AI Analysis

Impact

The flaw is a missing null terminator in the ptp_unpack_Canon_FE() function of libgphoto2, where a 13‑byte filename buffer is populated with strncpy without ensuring termination. When the source string is exactly 13 bytes long, the buffer remains unterminated and subsequent string operations can read past the buffer boundary, potentially revealing adjacent memory contents. The primary impact is information disclosure, consistent with CWE‑170, and the exploit does not grant code execution or privilege escalation.

Affected Systems

The vulnerability affects the gphoto library libgphoto2 for versions 2.5.33 and earlier. The patch is contained in commit 259fc7d3bfe534ce4b114c464f55b448670ab873, which raises the affected version to 2.5.34 and later.

Risk and Exploitability

The CVSS score is 3.5, indicating low severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, arising when a camera device sends PTP data that the library processes. No remote exploitation path is documented, and the risk of exploitation is considered low.

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libgphoto2 to the patched version 2.5.34 or later as provided in commit 259fc7d3bfe534ce4b114c464f55b448670ab873
  • If an update is not immediately possible, manually replace the affected ptp-pack.c file with the corrected version from the commit
  • After updating or patching, restart any applications or services that rely on libgphoto2 to ensure the new code is in use

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gphoto
Gphoto libgphoto2
Vendors & Products Gphoto
Gphoto libgphoto2

Mon, 20 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
Title libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c
Weaknesses CWE-170
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Gphoto Libgphoto2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T13:36:05.703Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40334

cve-icon Vulnrichment

Updated: 2026-04-20T13:32:33.119Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:37.257

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40334

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-17T23:16:38Z

Links: CVE-2026-40334 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:16Z

Weaknesses