Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686–687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.
Published: 2026-04-17
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Out‑of‑Bounds Read
Action: Apply Patch
AI Analysis

Impact

A specific function used to read Sony camera metadata performs an out‑of‑bounds read of a byte that holds a FormFlag value, because it lacks a bounds check that other camera variants correctly perform. This flaw is classified as CWE‑125 and permits an attacker who can control input to a library function to read memory bytes that the library should not expose. The read is limited to a single byte, so it does not enable arbitrary code execution or the modification of program state, but the leaked data could reveal confidential information or aid in further attack development.

Affected Systems

The library libgphoto2, provided by the gphoto vendor, is affected in all releases up to and including version 2.5.33. Any software that links with these versions and processes Sony camera packets that trigger the ptp_unpack_Sony_DPD function is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.2 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is local; an attacker would need to supply crafted camera data or invoke the library in a controlled way to trigger the out‑of‑bounds read, so the risk is contained to environments that expose the library to untrusted input.

Generated by OpenCVE AI on April 18, 2026 at 08:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade libgphoto2 to the latest release that includes the commit that adds the bounds check (min version 2.5.34).
  • If an upgrade is not immediately possible, rebuild the library from source using the patched commit to ensure the bounds check is present.
  • For systems that cannot update immediately, limit the use of libgphoto2 to trusted processes or disable processing of Sony camera data until the firmware fix is applied.

Generated by OpenCVE AI on April 18, 2026 at 08:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gphoto
Gphoto libgphoto2
Vendors & Products Gphoto
Gphoto libgphoto2
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 18 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686–687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.
Title libgphoto2 has OOB read in ptp_unpack_Sony_DPD() FormFlag parsing in ptp-pack.c
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.2, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L'}

Subscriptions

Gphoto Libgphoto2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T14:56:21.979Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40339

cve-icon Vulnrichment

Updated: 2026-04-20T14:51:43.812Z

cve-icon NVD

Status : Deferred

Published: 2026-04-18T00:16:37.947

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40339

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:42:32Z

Links: CVE-2026-40339 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:08Z

Weaknesses