Description
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
Published: 2026-04-17
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure via out‑of‑bounds read
Action: Apply patch
AI Analysis

Impact

The flaw is a missing null terminator in the ptp_unpack_Canon_FE() function of libgphoto2, where a 13‑byte filename buffer is populated with strncpy without ensuring termination. When the source string is exactly 13 bytes long, the buffer remains unterminated and subsequent string operations can read past the buffer boundary, potentially revealing adjacent memory contents. The primary impact is information disclosure, consistent with CWE‑170, and the exploit does not grant code execution or privilege escalation.

Affected Systems

The vulnerability affects the gphoto library libgphoto2 for versions 2.5.33 and earlier. The patch is contained in commit 259fc7d3bfe534ce4b114c464f55b448670ab873, which raises the affected version to 2.5.34 and later.

Risk and Exploitability

The CVSS score is 3.5, indicating low severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, arising when a camera device sends PTP data that the library processes. No remote exploitation path is documented, and the risk of exploitation is considered low.

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libgphoto2 to the patched version 2.5.34 or later as provided in commit 259fc7d3bfe534ce4b114c464f55b448670ab873
  • If an update is not immediately possible, manually replace the affected ptp-pack.c file with the corrected version from the commit
  • After updating or patching, restart any applications or services that rely on libgphoto2 to ensure the new code is in use

Generated by OpenCVE AI on April 18, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
Title libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c
Weaknesses CWE-170
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-17T23:16:38.751Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40334

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:37.257

Modified: 2026-04-18T00:16:37.257

Link: CVE-2026-40334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:00:05Z

Weaknesses