CVE-2026-40336

LOW
2026-04-18 [email protected]
Information Disclosure
2.4
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today

DescriptionNVD

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have a memory leak in ptp_unpack_Sony_DPD() in camlibs/ptp2/ptp-pack.c (lines 884-885). When processing a secondary enumeration list (introduced in 2024+ Sony cameras), the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() without freeing the previous allocation from line 857. The original array and any string values it contains are leaked on every property descriptor parse. Commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6 fixes the issue.

AnalysisAI

libgphoto2 versions up to 2.5.33 leak memory in the Sony camera property descriptor parser when processing secondary enumeration lists from 2024+ Sony cameras, causing denial of service through resource exhaustion on systems with repeated camera enumeration or property descriptor parsing. The vulnerability requires physical access to a Sony camera or crafted USB device communication, affecting users who interact with affected Sony camera models via libgphoto2. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40336 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy