CVE-2026-40336: CWE-401: Missing Release of Memory after Effective Lifetime in gphoto libgphoto2
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
AI Analysis
Technical Summary
libgphoto2, a camera access and control library, contains a memory leak in versions up to 2.5.33 within the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c. When handling a secondary enumeration list introduced by 2024+ Sony cameras, the function calls calloc() to allocate memory for dpd->FORM.Enum.SupportedValue without freeing the previously allocated memory, resulting in a leak of the original array and any contained strings on every property descriptor parse. The issue is tracked as CWE-401 (Missing Release of Memory after Effective Lifetime). The vulnerability has a CVSS 3.1 base score of 2.4, reflecting low severity and limited impact. A commit identified by hash 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the problem, although no official patch release or vendor advisory is provided in the data.
Potential Impact
The vulnerability causes a memory leak that can lead to resource exhaustion if the affected function is invoked repeatedly, potentially degrading application availability. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
A code fix has been committed to address the memory leak. However, no official patch release or vendor advisory is currently available. Users should monitor the libgphoto2 project for an official update that includes this fix and apply it once released. Until then, be aware of the potential for increased memory usage when processing affected Sony camera data. Patch status is not yet confirmed—check the vendor advisory or project repository for current remediation guidance.
CVE-2026-40336: CWE-401: Missing Release of Memory after Effective Lifetime in gphoto libgphoto2
Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
CVSS v3.1
Score 2.4low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
libgphoto2, a camera access and control library, contains a memory leak in versions up to 2.5.33 within the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c. When handling a secondary enumeration list introduced by 2024+ Sony cameras, the function calls calloc() to allocate memory for dpd->FORM.Enum.SupportedValue without freeing the previously allocated memory, resulting in a leak of the original array and any contained strings on every property descriptor parse. The issue is tracked as CWE-401 (Missing Release of Memory after Effective Lifetime). The vulnerability has a CVSS 3.1 base score of 2.4, reflecting low severity and limited impact. A commit identified by hash 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the problem, although no official patch release or vendor advisory is provided in the data.
Potential Impact
The vulnerability causes a memory leak that can lead to resource exhaustion if the affected function is invoked repeatedly, potentially degrading application availability. There is no impact on confidentiality or integrity. No known exploits are reported in the wild.
Mitigation Recommendations
A code fix has been committed to address the memory leak. However, no official patch release or vendor advisory is currently available. Users should monitor the libgphoto2 project for an official update that includes this fix and apply it once released. Until then, be aware of the potential for increased memory usage when processing affected Sony camera data. Patch status is not yet confirmed—check the vendor advisory or project repository for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.357Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2c47fbdfbbecc59a12f90
Added to database: 4/17/2026, 11:38:39 PM
Last enriched: 4/25/2026, 2:51:13 AM
Last updated: 6/3/2026, 4:20:08 AM
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.