CVE-2026-40334
LOWSeverity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.
AnalysisAI
Missing null terminator in libgphoto2's ptp_unpack_Canon_FE() function allows out-of-bounds memory reads when processing Canon camera filenames. Versions up to 2.5.33 are vulnerable when a 13-byte filename without null termination is supplied, causing subsequent string operations to read beyond buffer boundaries. The vulnerability requires physical camera access and results in information disclosure or denial of service, not remote code execution.
Technical ContextAI
libgphoto2 is a camera control library used by Linux and Unix systems to interface with digital cameras via the Picture Transfer Protocol (PTP). The vulnerability exists in the Canon-specific PTP packet unpacking routine (ptp_unpack_Canon_FE) in camlibs/ptp2/ptp-pack.c at line 1377. The function uses strncpy() to copy a filename into a fixed 13-byte buffer without explicitly null-terminating the copied string. CWE-170 (Improper Null Termination) describes the root cause: when strncpy() copies exactly N bytes into an N-byte buffer, it does not append a null terminator, leaving the buffer unterminated. Any subsequent string function (strlen, strcpy, printf) will read past the buffer boundary seeking a null terminator, violating memory safety. CPE affected: cpe:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:* with versions up to and including 2.5.33.
Affected ProductsAI
libgphoto2 versions up to and including 2.5.33 (CPE: cpe:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:*) are vulnerable. The vulnerability is specific to Canon PTP packet handling and only triggers when a 13-byte filename without null termination is present in camera data. Affected systems are those using libgphoto2 to interface with Canon digital cameras.
RemediationAI
Apply the upstream fix by upgrading libgphoto2 to version 2.5.34 or later, which includes commit 259fc7d3bfe534ce4b114c464f55b448670ab873. The patch adds explicit null termination to the buffer after strncpy(). For systems unable to update immediately, reduce exposure by disconnecting untrusted or unfamiliar camera devices and avoiding use of libgphoto2 with cameras of unknown firmware origin. Because the vulnerability requires a malformed or compromised camera to trigger, the practical mitigation is patch deployment on systems that actively use libgphoto2; systems that have libgphoto2 installed but never connect cameras have negligible risk. See GitHub security advisory GHSA-ph87-cc3j-c6hm for vendor patch details and commit reference.
Same weakness CWE-170 – Improper Null Termination
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today