Skip to main content

CVE-2026-40336

LOW
Memory Leak (CWE-401)
2026-04-18 security-advisories@github.com
2.4
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.4 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
LOW 2.4

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in ptp_unpack_Sony_DPD() in camlibs/ptp2/ptp-pack.c (lines 884-885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.

AnalysisAI

libgphoto2 versions up to 2.5.33 leak memory in the Sony camera property descriptor parser when processing secondary enumeration lists from 2024+ Sony cameras, causing denial of service through resource exhaustion on systems with repeated camera enumeration or property descriptor parsing. The vulnerability requires physical access to a Sony camera or crafted USB device communication, affecting users who interact with affected Sony camera models via libgphoto2. Vendor-released patch: version 2.5.34 and later.

Technical ContextAI

libgphoto2 is a library providing camera access and control via USB and other protocols, widely used by Linux photo management tools, GNOME Photos, and other image applications. The vulnerability resides in ptp_unpack_Sony_DPD() function in camlibs/ptp2/ptp-pack.c, which parses Sony-specific PTP (Picture Transfer Protocol) property descriptors. The PTP protocol is a standardized USB device communication protocol used by digital cameras. The root cause is improper memory management (CWE-401: Missing Release of Memory after Effective Lifetime): at line 857, the function allocates memory for dpd->FORM.Enum.SupportedValue, but when processing secondary enumeration lists introduced in Sony cameras from 2024 onward, the function allocates a new buffer at lines 884-885 without freeing the previous allocation, creating a classic memory leak. Sony's introduction of secondary enumeration lists in newer camera firmware triggered exposure of this latent memory management defect in the PTP implementation.

Affected ProductsAI

libgphoto2 versions 2.5.33 and earlier are affected (CPE: cpe:2.3:a:libgphoto2:libgphoto2:*:*:*:*:*:*:*:* where version <= 2.5.33). The vulnerability is triggered when libgphoto2 parses property descriptors from Sony cameras manufactured in 2024 or later that support secondary enumeration lists in PTP property descriptors. Affected Sony camera models include newer digital camera lines released in 2024 and beyond that implement the secondary enumeration list feature in their PTP firmware. Specific affected Sony camera model numbers are not enumerated in the available advisory; users should cross-reference their camera model against Sony's firmware release notes for 2024+ models.

RemediationAI

Vendor-released patch: libgphoto2 2.5.34 and later. Upgrade libgphoto2 library and dependent applications (GNOME Photos, gPhoto, etc.) to version 2.5.34 or later via your distribution's package manager or direct source compilation from the libgphoto2 GitHub repository. Verify the installed version with gphoto2 --version or check your application's About menu. No operational workarounds exist to prevent the memory leak other than avoiding enumeration or connection to Sony 2024+ cameras until the patch is applied. For organizations unable to upgrade immediately, compensating controls include: (1) limiting USB camera connections to dedicated workstations running memory-monitoring tools (e.g., watch for memory growth via watch free -h), restarting the application periodically to reclaim leaked memory; (2) restricting physical USB access to cameras and imaging devices via organizational policy and device control; (3) disabling auto-enumeration of cameras in photo management applications if possible, reducing the frequency of ptp_unpack_Sony_DPD() invocations. Note that these controls do not eliminate the leak but reduce exposure frequency and impact.

Share

CVE-2026-40336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy