{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40333", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.357Z", "datePublished": "2026-04-17T23:11:11.073Z", "dateUpdated": "2026-04-17T23:11:11.073Z"}, "containers": {"cna": {"title": "libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}, {"name": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:11:11.073Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "source": {"advisory": "GHSA-hq94-cp6h-3gjp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "id": "CVE-2026-40333", "lastModified": "2026-04-18T00:16:37.120", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.120", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}, {"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:49:24.243186+00:00", "value": {"mitigation_remediation": ["Update libgphoto2 to the latest release (2.5.34 or newer) which includes commit 1817ecead20c2aafa7549dac9619fe38f47b2f53.", "Rebuild and relink all applications that depend on libgphoto2 against the updated library to activate the fix.", "If an upgrade is not yet possible, limit or sandbox the library\u2019s exposure by disabling camera functions that trigger the vulnerable PTP routines and isolating the process with strict memory protection controls."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Affected releases include libgphoto2 versions up to and including 2.5.33. The library is widely used for camera access and control, meaning any system that compiles or links against these versions could be vulnerable if it processes data from an EOS camera or utilizes the PTP protocol during event handling.", "description_and_impact": "The vulnerability in libgphoto2 arises from out-of-bounds memory reads caused by missing length parameters in two unpacking functions. The functions ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() in camlibs/ptp2/ptp-pack.c read data without validating the buffer size, leading to a potential disclosure of arbitrary data in user memory. This flaw corresponds to CWE\u2011125, indicating an unchecked read beyond a buffer boundary.", "risk_and_exploitability": "The CVSS base score of 6.1 classifies the issue as moderate severity, and the absence of an EPSS score indicates limited publicly known exploitation data. The flaw is not listed in the CISA KEV catalog, suggesting it is not a widely exploited vulnerability. Exploitation would require an attacker able to supply crafted PTP packets to the library, such as through a compromised camera device or a manufacturing environment that can inject data at the transport layer. While the attack vector appears local or device\u2011centric, the lack of input length checks makes the read boundary validation impossible within the library, so any corrupted payload could leak memory contents to the running process."}}}}, "created": "2026-04-18T09:00:05.892893+00:00", "updated": "2026-04-18T09:00:05.892903+00:00", "vendors": []}