Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
Published: 2026-04-17
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Memory Leak (Potential Denial of Service)
Action: Patch
AI Analysis

Impact

The flaw occurs in the libgphoto2 camera library when it processes a secondary enumeration list from Sony cameras. The ptp_unpack_Sony_DPD() function incorrectly reallocates memory for the property descriptor structure without freeing the previous allocation, causing each parse of an enumeration list to leak memory. The accumulation of these leaks can exhaust the host system’s memory over time, potentially disabling the application or resulting in a denial‑of‑service condition for processes that rely on libgphoto2. The CVSS score of 2.4 indicates a low severity and no privilege escalation, code execution, or data compromise is described.

Affected Systems

All systems using libgphoto2 version 2.5.33 or earlier are vulnerable. This includes typical Linux, Windows, and macOS installations that employ the libgphoto2 library for camera communication. The affected binary is the libgphoto2 library itself; the vulnerability is triggered by any application that calls into the ptp_unpack_Sony_DPD() routine while interacting with a Sony camera that supports the secondary enumeration list introduced in 2024 and later firmware. No specific hardware or operating system versions are singled out beyond the library version requirement.

Risk and Exploitability

The CVSS rating of 2.4 and the EPSS score of 0.00006 (less than 1%) indicate that exploitation is unlikely to be automated or widely targeted, and the vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is a local attacker or inadvertently malicious application that repeatedly queries Sony camera properties, causing the memory leak to manifest. While the vulnerability cannot be used for remote code execution or confidentiality breaches, it can be leveraged to degrade system performance in a controlled environment, particularly on resource‑constrained or virtualized hosts.

Generated by OpenCVE AI on April 22, 2026 at 03:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update libgphoto2 to version 2.5.34 or later; the commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 removes the memory leak.
  • If updating the library is not immediately possible, isolate the application that uses libgphoto2 in a sandboxed or dedicated process that has a strict memory limit and is automatically restarted when the memory cap is exceeded.
  • As a temporary workaround, disable or avoid the feature that triggers the secondary enumeration list on Sony cameras; if your application permits it, use older camera firmware or bypass the advanced property queries that invoke ptp_unpack_Sony_DPD().

Generated by OpenCVE AI on April 22, 2026 at 03:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-772
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gphoto
Gphoto libgphoto2
Vendors & Products Gphoto
Gphoto libgphoto2

Fri, 17 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
Title libgphoto2 has memory leak in ptp_unpack_Sony_DPD() secondary enumeration list in ptp-pack.c
Weaknesses CWE-401
References
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Gphoto Libgphoto2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T16:14:53.071Z

Reserved: 2026-04-10T22:50:01.357Z

Link: CVE-2026-40336

cve-icon Vulnrichment

Updated: 2026-04-20T16:14:49.246Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:37.523

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40336

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:27:42Z

Links: CVE-2026-40336 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:45:06Z

Weaknesses
  • CWE-401

    Missing Release of Memory after Effective Lifetime

  • CWE-772

    Missing Release of Resource after Effective Lifetime