The flaw occurs in the libgphoto2 camera library when it processes a secondary enumeration list from Sony cameras. The ptp_unpack_Sony_DPD() function incorrectly reallocates memory for the property descriptor structure without freeing the previous allocation, causing each parse of an enumeration list to leak memory. The accumulation of these leaks can exhaust the host system’s memory over time, potentially disabling the application or resulting in a denial-of-service condition for processes that rely on libgphoto2. The CVSS score of 2.4 indicates a low severity and no privilege escalation, code execution, or data compromise is described.

All systems using libgphoto2 version 2.5.33 or earlier are vulnerable. This includes typical Linux, Windows, and macOS installations that employ the libgphoto2 library for camera communication. The affected binary is the libgphoto2 library itself; the vulnerability is triggered by any application that calls into the ptp_unpack_Sony_DPD() routine while interacting with a Sony camera that supports the secondary enumeration list introduced in 2024 and later firmware. No specific hardware or operating system versions are singled out beyond the library version requirement.

The CVSS rating of 2.4 and the absence of an EPSS score or KEV listing suggest that exploitation is unlikely to be automated or widely targeted. The most probable attack vector is a local attacker or inadvertently malicious application that repeatedly queries Sony camera properties, causing the memory leak to manifest. While the vulnerability cannot be used for remote code execution or confidentiality breaches, it can be leveraged to degrade system performance in a controlled environment, particularly on resource‑constrained or virtualized hosts.