libgphoto2, a camera access and control library, contains an out-of-bounds read vulnerability (CWE-125) in versions up to 2.5.33. Specifically, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but lack a length parameter, leading to unbounded reads. The callers in ptp_unpack_EOS_events() have access to the buffer size (xsize) but do not pass it to these functions, resulting in no validation against buffer boundaries. This can cause reading beyond the intended memory, potentially leading to confidentiality loss and denial of service. The issue is addressed in commit 1817ecead20c2aafa7549dac9619fe38f47b2f53. The CVSS 3.1 base score is 6.1 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H), indicating a medium severity vulnerability exploitable remotely over a physical network without privileges or user interaction.

The vulnerability allows an attacker with physical network access to trigger out-of-bounds reads in libgphoto2, potentially leading to disclosure of sensitive information (confidentiality impact) and denial of service (availability impact). There is no indication of integrity impact. No known exploits are reported in the wild at this time.

A fix for this vulnerability has been committed (commit 1817ecead20c2aafa7549dac9619fe38f47b2f53), but no official patch release or vendor advisory is currently available. Users should monitor the official gphoto project for updated releases containing this fix and apply them promptly once available. Until then, cautious handling of untrusted data with libgphoto2 is advised. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.