Skip to main content

Red Hat CVE-2026-40338

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-18 security-advisories@github.com
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:39 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 5.2

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of ptp_unpack_Sony_DPD() in camlibs/ptp2/ptp-pack.c (line 856). The function reads a 2-byte enumeration count N via dtoh16o(data, *poffset) without verifying that 2 bytes remain in the buffer. The standard ptp_unpack_DPD() at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows physical attackers to disclose sensitive memory and cause denial of service via a malicious PTP (Picture Transfer Protocol) device. The vulnerability exists in the Sony-specific DPD unpacking function, which fails to validate buffer boundaries before reading an enumeration count, enabling attackers with direct device access to craft responses that trigger the out-of-bounds read. Patch is available via upstream commit 3b9f9696be76ae51dca983d9dd8ce586a2561845.

Technical ContextAI

libgphoto2 is a camera access library that implements PTP (Picture Transfer Protocol) for device communication. The vulnerability resides in ptp_unpack_Sony_DPD() at line 856 of camlibs/ptp2/ptp-pack.c, where the function reads a 2-byte enumeration count using dtoh16o(data, *poffset) without checking that 2 bytes remain in the buffer. CWE-125 is an out-of-bounds read vulnerability where the code reads memory beyond allocated boundaries. The standard PTP unpacking function ptp_unpack_DPD() at line 704 implements the correct boundary check, indicating the Sony variant omitted this validation by oversight. The vulnerability affects the Sony Device Property Definition enumeration case, triggered when libgphoto2 communicates with a malicious or specially crafted PTP device.

Affected ProductsAI

libgphoto2 versions up to and including 2.5.33 are affected. The vulnerability is introduced in the Sony Device Property Definition unpacking code within the PTP2 camera library module. CPE string for libgphoto2 is CPE:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:* with version matching up through 2.5.33. Vendor advisory is available at https://github.com/gphoto/libgphoto2/security/advisories/GHSA-2hwp-w84q-27hf.

RemediationAI

Upgrade libgphoto2 to a version after 2.5.33 that includes commit 3b9f9696be76ae51dca983d9dd8ce586a2561845. The exact patched version number is not specified in available references; verify the fix version with the upstream GitHub repository or vendor release notes. Until patching is possible, restrict physical access to systems running libgphoto2 by disabling USB camera auto-detection via device policy or udev rules, disabling PTP protocol support if not required, and isolating camera connection interfaces to trusted networks only. If libgphoto2 is embedded in forensic tools or tethered photography workflows, implement user warnings when connecting untrusted devices and run libgphoto2 in a sandboxed environment with memory protection enabled. These mitigations trade convenience and feature completeness for reduced attack surface.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy