CVE-2026-40338: CWE-125: Out-of-bounds Read in gphoto libgphoto2
CVE-2026-40338 is an out-of-bounds read vulnerability in libgphoto2 versions up to and including 2. 5. 33. The flaw occurs in the PTP_DPFF_Enumeration case of the ptp_unpack_Sony_DPD() function, which reads a 2-byte enumeration count without verifying sufficient buffer length. This omission can lead to reading beyond the buffer boundary. A fix for this issue was introduced in commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.
AI Analysis
Technical Summary
The vulnerability in libgphoto2 (<= 2.5.33) involves an out-of-bounds read in the ptp_unpack_Sony_DPD() function within camlibs/ptp2/ptp-pack.c. Specifically, the function reads a 2-byte enumeration count via dtoh16o(data, *poffset) without checking if 2 bytes remain in the buffer, unlike the standard ptp_unpack_DPD() function which includes this check. This leads to a potential out-of-bounds read condition classified as CWE-125. The issue was corrected in a later commit that added the missing boundary check.
Potential Impact
This vulnerability allows an attacker to cause an out-of-bounds read, which can lead to information disclosure (confidentiality impact) and potentially cause a denial of service (availability impact). The CVSS 3.1 score is 5.2 (medium severity), reflecting that the attack vector requires physical access (AV:P) and no privileges or user interaction are needed. There is no indication of known exploits in the wild.
Mitigation Recommendations
A fix for this vulnerability is available in the codebase as indicated by commit 3b9f9696be76ae51dca983d9dd8ce586a2561845. Users should upgrade libgphoto2 to a version later than 2.5.33 that includes this fix. Since no official vendor advisory or patch link is provided, users should verify the fix in the upstream repository or wait for an official release containing this commit. Patch status is not yet confirmed via vendor advisory; check the vendor or project repository for current remediation guidance.
CVE-2026-40338: CWE-125: Out-of-bounds Read in gphoto libgphoto2
Description
CVE-2026-40338 is an out-of-bounds read vulnerability in libgphoto2 versions up to and including 2. 5. 33. The flaw occurs in the PTP_DPFF_Enumeration case of the ptp_unpack_Sony_DPD() function, which reads a 2-byte enumeration count without verifying sufficient buffer length. This omission can lead to reading beyond the buffer boundary. A fix for this issue was introduced in commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in libgphoto2 (<= 2.5.33) involves an out-of-bounds read in the ptp_unpack_Sony_DPD() function within camlibs/ptp2/ptp-pack.c. Specifically, the function reads a 2-byte enumeration count via dtoh16o(data, *poffset) without checking if 2 bytes remain in the buffer, unlike the standard ptp_unpack_DPD() function which includes this check. This leads to a potential out-of-bounds read condition classified as CWE-125. The issue was corrected in a later commit that added the missing boundary check.
Potential Impact
This vulnerability allows an attacker to cause an out-of-bounds read, which can lead to information disclosure (confidentiality impact) and potentially cause a denial of service (availability impact). The CVSS 3.1 score is 5.2 (medium severity), reflecting that the attack vector requires physical access (AV:P) and no privileges or user interaction are needed. There is no indication of known exploits in the wild.
Mitigation Recommendations
A fix for this vulnerability is available in the codebase as indicated by commit 3b9f9696be76ae51dca983d9dd8ce586a2561845. Users should upgrade libgphoto2 to a version later than 2.5.33 that includes this fix. Since no official vendor advisory or patch link is provided, users should verify the fix in the upstream repository or wait for an official release containing this commit. Patch status is not yet confirmed via vendor advisory; check the vendor or project repository for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.358Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e389f6bdfbbecc59765158
Added to database: 4/18/2026, 1:41:10 PM
Last enriched: 4/18/2026, 1:53:23 PM
Last updated: 4/18/2026, 4:09:19 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.