Skip to main content

CVE-2026-40334

LOW
Improper Null Termination (CWE-170)
2026-04-18 security-advisories@github.com
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 18, 2026 - 00:37 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
LOW 3.5

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue.

AnalysisAI

Missing null terminator in libgphoto2's ptp_unpack_Canon_FE() function allows out-of-bounds memory reads when processing Canon camera filenames. Versions up to 2.5.33 are vulnerable when a 13-byte filename without null termination is supplied, causing subsequent string operations to read beyond buffer boundaries. The vulnerability requires physical camera access and results in information disclosure or denial of service, not remote code execution.

Technical ContextAI

libgphoto2 is a camera control library used by Linux and Unix systems to interface with digital cameras via the Picture Transfer Protocol (PTP). The vulnerability exists in the Canon-specific PTP packet unpacking routine (ptp_unpack_Canon_FE) in camlibs/ptp2/ptp-pack.c at line 1377. The function uses strncpy() to copy a filename into a fixed 13-byte buffer without explicitly null-terminating the copied string. CWE-170 (Improper Null Termination) describes the root cause: when strncpy() copies exactly N bytes into an N-byte buffer, it does not append a null terminator, leaving the buffer unterminated. Any subsequent string function (strlen, strcpy, printf) will read past the buffer boundary seeking a null terminator, violating memory safety. CPE affected: cpe:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:* with versions up to and including 2.5.33.

Affected ProductsAI

libgphoto2 versions up to and including 2.5.33 (CPE: cpe:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:*) are vulnerable. The vulnerability is specific to Canon PTP packet handling and only triggers when a 13-byte filename without null termination is present in camera data. Affected systems are those using libgphoto2 to interface with Canon digital cameras.

RemediationAI

Apply the upstream fix by upgrading libgphoto2 to version 2.5.34 or later, which includes commit 259fc7d3bfe534ce4b114c464f55b448670ab873. The patch adds explicit null termination to the buffer after strncpy(). For systems unable to update immediately, reduce exposure by disconnecting untrusted or unfamiliar camera devices and avoiding use of libgphoto2 with cameras of unknown firmware origin. Because the vulnerability requires a malformed or compromised camera to trigger, the practical mitigation is patch deployment on systems that actively use libgphoto2; systems that have libgphoto2 installed but never connect cameras have negligible risk. See GitHub security advisory GHSA-ph87-cc3j-c6hm for vendor patch details and commit reference.

Share

CVE-2026-40334 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy