Skip to main content

Red Hat CVE-2026-40335

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-18 security-advisories@github.com
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.2 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 5.2

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in ptp_unpack_DPV() in camlibs/ptp2/ptp-pack.c (lines 622-629). The UINT128 and INT128 cases advance *offset += 16 without verifying that 16 bytes remain in the buffer. The entry check at line 609 only guarantees *offset < total (at least 1 byte available), leaving up to 15 bytes unvalidated. Commit 433bde9888d70aa726e32744cd751d7dbe94379a patches the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 in the PTP protocol parser allows information disclosure and potential denial of service when processing specially crafted camera responses. The vulnerability exists in ptp_unpack_DPV() where UINT128 and INT128 cases advance the buffer offset by 16 bytes without verifying sufficient buffer remains available, potentially exposing adjacent memory. Exploitation requires physical access to connect a malicious camera device (AV:P), but no special authentication or user interaction is needed once connected. No public exploit code identified at time of analysis.

Technical ContextAI

libgphoto2 is a library for accessing digital cameras via USB and other protocols, with support for the Picture Transfer Protocol (PTP) used by most consumer and professional cameras. The vulnerability resides in ptp-pack.c, specifically the ptp_unpack_DPV() function which deserializes binary data from camera responses into application structures. The function implements a bounded buffer read operation but has insufficient validation in the UINT128 and INT128 parsing branches. While the entry check at line 609 validates that at least one byte remains (offset < total), the subsequent 16-byte advancement for UINT128/INT128 types does not verify this condition, allowing reads up to 15 bytes past the actual data boundary. This is a classic out-of-bounds read (CWE-125) where the offset calculation assumes available space without bounds checking. The affected CPE scope is libgphoto2 through version 2.5.33, typically deployed on Linux systems, embedded devices, and photography/imaging applications using the library for camera communication.

Affected ProductsAI

libgphoto2 versions 2.5.33 and earlier are affected. This includes Debian, Ubuntu, Fedora, and other Linux distribution packages of libgphoto2, as well as macOS and Windows versions shipped with photography and imaging applications. No explicit version range lower bound is documented; analysis of GitHub history and releases suggests the vulnerability may exist in much earlier versions, but the GHSA advisory references only versions up to 2.5.33. Applications using libgphoto2 as a dependency (such as digiKam, Shotwell, gPhoto command-line tools, and embedded camera management systems) inherit this risk when running on vulnerable library versions.

RemediationAI

Upgrade libgphoto2 to a version incorporating commit 433bde9888d70aa726e32744cd751d7dbe94379a or later. Most distributions will release patched packages (2.5.34 or newer); check your OS vendor's security advisories for exact patched version numbers. Debian, Ubuntu, Fedora, and other maintainers should provide updated packages through standard package management (apt, dnf, pacman, etc.). For applications bundling libgphoto2, contact the application vendor for a patched release. No effective workarounds exist short of preventing camera device connections; if patching is delayed, restrict USB device access via physical controls (disable USB ports, remove USB connectors) or mandatory access controls (disable udev rules that auto-mount camera devices, disable gphoto2 services). Note that disabling camera support removes legitimate photography workflow functionality, so this mitigation is suitable only for high-security or air-gapped environments where camera use is not required.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40335 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy