CVE-2026-40340 - Vulnerability Details

- libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo response

Description

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 fixes the issue.

Published: 2026-04-17

Score: 6.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A malicious PTP ObjectInfo response can cause libgphoto2 to read up to nine bytes past the validated boundary in the ptp_unpack_OI() function. This out‑of‑bounds read may leak raw memory data that the camera driver or the application handling the camera can access, leading to information disclosure. The flaw is classified as CWE‑125, an out‑of‑bounds read weakness.

Affected Systems

The vulnerability is present in libgphoto2 versions up to and including 2.5.33, which is the camera access and control library used by many desktop and embedded applications that communicate with cameras via PTP over USB or similar protocols.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. No EPSS score is available, so the exploitation likelihood cannot be quantified, but the vulnerability is not currently listed in the CISA KEV catalog. The attack vector is inferred to be remote or locally privileged, as an attacker must supply a crafted PTP ObjectInfo response that is accepted by libgphoto2, typically through a connected camera device or a compromised camera firmware.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

gphoto

libgphoto2

affected

Version	Status	Constraints
`<= 2.5.33`	affected	—

No data.

Vendor Product Confidence Versions

Gphoto

Libgphoto2

100%

Version	Status	Scheme	Platform
`[0,2.5.33]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update libgphoto2 to version 2.5.34 or later, which includes the committed fix (7c7f515bc88c3d0c4098ac965d313518e0ccbe33).
After updating, restart any applications that link to libgphoto2 to ensure the patched library is in use.
Limit PTP connections to trusted devices or restrict camera access to authorized users to reduce the opportunity for an attacker to supply a malicious PTP ObjectInfo response.

Generated by OpenCVE AI on April 18, 2026 at 17:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33
https://github.com/gphoto/libgphoto2/security/advisories/GHSA-xfw3-xvjp-5wcv
https://nvd.nist.gov/vuln/detail/CVE-2026-40340
https://www.cve.org/CVERecord?id=CVE-2026-40340

History

Mon, 20 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gphoto Gphoto libgphoto2
Vendors & Products		Gphoto Gphoto libgphoto2

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-40340 https://www.cve.org/CVERecord?id=CVE-2026-40340
Metrics	threat_severity `None`	threat_severity `Moderate`

Sat, 18 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 fixes the issue.
Title		libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo response
Weaknesses		CWE-125
References		https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33 https://github.com/gphoto/libgphoto2/security/advisories/GHSA-xfw3-xvjp-5wcv
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}`

Subscriptions

Gphoto Libgphoto2

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-17T23:45:17.467Z

Updated: 2026-04-20T13:36:05.149Z

Reserved: 2026-04-10T22:50:01.358Z

Link: CVE-2026-40340

Vulnrichment

Updated: 2026-04-20T13:32:26.714Z

NVD

Status : Deferred

Published: 2026-04-18T00:16:38.087

Modified: 2026-04-20T19:00:52.467

Link: CVE-2026-40340

Redhat

Severity : Moderate

Publid Date: 2026-04-17T23:45:17Z

Links: CVE-2026-40340 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T14:59:07Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object