Skip to main content

Red Hat CVE-2026-40333

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-18 security-advisories@github.com
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:37 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive information from process memory or cause denial of service via malformed EOS event data. Two functions in ptp-pack.c lack length validation, enabling unbounded buffer reads when processing camera events. The vulnerability requires physical device access and is not remotely exploitable, with no public exploit code identified at time of analysis.

Technical ContextAI

libgphoto2 is a camera control library used to interface with digital cameras via the Picture Transfer Protocol (PTP). The vulnerability resides in camlibs/ptp2/ptp-pack.c, where functions handling EOS (Canon) camera events accept data pointers without corresponding length parameters. The root cause is CWE-125 (out-of-bounds read), a classic buffer over-read flaw. The affected functions are called from ptp_unpack_EOS_events(), which has access to the buffer size (xsize) but fails to pass this boundary information to the called functions. This design flaw creates an information disclosure and denial-of-service window: an attacker who controls a malicious PTP device (or spoofs one via USB) can craft event structures with fields that cause the parser to read beyond allocated memory boundaries.

Affected ProductsAI

libgphoto2 versions up to and including 2.5.33 are affected. The vulnerability exists in the PTP2 camera library backend (camlibs/ptp2/ptp-pack.c), which is included in all standard libgphoto2 distributions. Any application linked against vulnerable libgphoto2, including gphoto2 command-line tool, graphical frontends, and media management software that uses libgphoto2 for camera support, inherits the vulnerability.

RemediationAI

Patch to the commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 or later, which adds length validation to the affected functions. Most Linux distributions should provide updated packages of libgphoto2 version 2.5.34 or later; check your distribution's package repositories. For applications bundling libgphoto2, rebuild against the patched library. Until patching is possible, mitigate by disabling automatic camera detection and limiting connections to trusted, known-good camera models via configuration whitelists, though this is cumbersome. Another compensating control is to run camera access tools in a sandboxed environment (container, VM, or AppArmor/SELinux profile) with read-only access to sensitive data, limiting the information disclosure impact. For systems where camera access is not required, uninstall libgphoto2 or disable the PTP2 camera support module. See GitHub security advisory GHSA-hq94-cp6h-3gjp and upstream commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 for implementation details.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40333 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy