{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40339", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.358Z", "datePublished": "2026-04-17T23:42:32.586Z", "dateUpdated": "2026-04-17T23:42:32.586Z"}, "containers": {"cna": {"title": "libgphoto2 has OOB read in ptp_unpack_Sony_DPD() FormFlag parsing in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-42cm-m9hc-r7q8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-42cm-m9hc-r7q8"}, {"name": "https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:42:32.586Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686\u2013687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue."}], "source": {"advisory": "GHSA-42cm-m9hc-r7q8", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686\u2013687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue."}], "id": "CVE-2026-40339", "lastModified": "2026-04-18T00:16:37.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.947", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d"}, {"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-42cm-m9hc-r7q8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:46:00.203413+00:00", "value": {"mitigation_remediation": ["Upgrade libgphoto2 to the latest release that includes the commit that adds the bounds check (min version 2.5.34).", "If an upgrade is not immediately possible, rebuild the library from source using the patched commit to ensure the bounds check is present.", "For systems that cannot update immediately, limit the use of libgphoto2 to trusted processes or disable processing of Sony camera data until the firmware fix is applied."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Out\u2011of\u2011Bounds Read"}, "threat_synthesis": {"affected_systems": "The library libgphoto2, provided by the gphoto vendor, is affected in all releases up to and including version 2.5.33. Any software that links with these versions and processes Sony camera packets that trigger the ptp_unpack_Sony_DPD function is potentially vulnerable.", "description_and_impact": "A specific function used to read Sony camera metadata performs an out\u2011of\u2011bounds read of a byte that holds a FormFlag value, because it lacks a bounds check that other camera variants correctly perform. This flaw is classified as CWE\u2011125 and permits an attacker who can control input to a library function to read memory bytes that the library should not expose. The read is limited to a single byte, so it does not enable arbitrary code execution or the modification of program state, but the leaked data could reveal confidential information or aid in further attack development.", "risk_and_exploitability": "The CVSS score of 5.2 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is local; an attacker would need to supply crafted camera data or invoke the library in a controlled way to trigger the out\u2011of\u2011bounds read, so the risk is contained to environments that expose the library to untrusted input."}}}}, "created": "2026-04-18T09:00:05.890043+00:00", "updated": "2026-04-18T09:00:05.890065+00:00", "vendors": []}