CVE-2026-40336: CWE-401: Missing Release of Memory after Effective Lifetime in gphoto libgphoto2
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
AI Analysis
Technical Summary
The vulnerability in libgphoto2 (CVE-2026-40336) is a memory leak classified under CWE-401. It affects versions up to and including 2.5.33 in the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c. When handling a secondary enumeration list introduced in 2024+ Sony cameras, the function calls calloc() to allocate memory for dpd->FORM.Enum.SupportedValue without freeing the previously allocated memory, leading to a leak each time a property descriptor is parsed. This flaw can cause gradual memory consumption increase, potentially impacting system availability. The issue is fixed in a specific commit (404ff02c75f3cb280196fc260a63c4d26cf1a8f6), but no formal patch release or vendor advisory is provided in the data.
Potential Impact
The vulnerability results in a memory leak that can cause increased memory usage over time, potentially leading to degraded system performance or availability issues. There is no impact on confidentiality or integrity. No known exploits have been reported, indicating limited immediate risk.
Mitigation Recommendations
A fix for this memory leak exists in the codebase as per commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6. However, no official patch or vendor advisory is currently available. Users should monitor the libgphoto2 project for an official release containing this fix and update to a version beyond 2.5.33 once available. Until then, mitigating the risk involves limiting exposure to affected versions and monitoring resource usage where libgphoto2 is deployed.
CVE-2026-40336: CWE-401: Missing Release of Memory after Effective Lifetime in gphoto libgphoto2
Description
libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (lines 884–885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in libgphoto2 (CVE-2026-40336) is a memory leak classified under CWE-401. It affects versions up to and including 2.5.33 in the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c. When handling a secondary enumeration list introduced in 2024+ Sony cameras, the function calls calloc() to allocate memory for dpd->FORM.Enum.SupportedValue without freeing the previously allocated memory, leading to a leak each time a property descriptor is parsed. This flaw can cause gradual memory consumption increase, potentially impacting system availability. The issue is fixed in a specific commit (404ff02c75f3cb280196fc260a63c4d26cf1a8f6), but no formal patch release or vendor advisory is provided in the data.
Potential Impact
The vulnerability results in a memory leak that can cause increased memory usage over time, potentially leading to degraded system performance or availability issues. There is no impact on confidentiality or integrity. No known exploits have been reported, indicating limited immediate risk.
Mitigation Recommendations
A fix for this memory leak exists in the codebase as per commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6. However, no official patch or vendor advisory is currently available. Users should monitor the libgphoto2 project for an official release containing this fix and update to a version beyond 2.5.33 once available. Until then, mitigating the risk involves limiting exposure to affected versions and monitoring resource usage where libgphoto2 is deployed.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.357Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2c47fbdfbbecc59a12f90
Added to database: 4/17/2026, 11:38:39 PM
Last enriched: 4/17/2026, 11:53:19 PM
Last updated: 4/20/2026, 4:30:44 AM
Views: 24
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.