Skip to main content

Red Hat CVE-2026-40339

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-18 security-advisories@github.com
5.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.2 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
SUSE
MEDIUM
qualitative
Red Hat
5.0 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 5.2

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in ptp_unpack_Sony_DPD() in camlibs/ptp2/ptp-pack.c (line 842). The function reads the FormFlag byte via dtoh8o(data, *poffset) without a prior bounds check. The standard ptp_unpack_DPD() at lines 686-687 correctly validates *offset + sizeof(uint8_t) > dpdlen before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.

Technical ContextAI

libgphoto2 implements the Picture Transfer Protocol (PTP) for camera communication via the ptp-pack.c module. The vulnerability resides in ptp_unpack_Sony_DPD() at line 842, which unpacks device property descriptors from Sony cameras. The function reads a FormFlag byte without validating that the read offset plus sizeof(uint8_t) remains within the data buffer bounds (dpdlen). The standard ptp_unpack_DPD() function correctly performs this bounds check at lines 686-687 using *offset + sizeof(uint8_t) > dpdlen before the identical read operation. This is a classic out-of-bounds read (CWE-125) where the Sony variant's code path bypasses the protective validation logic present in the non-Sony code path, creating an information disclosure window. CPE: cpe:2.3:a:gphoto:libgphoto2:*:*:*:*:*:*:*:* (versions 0 through 2.5.33).

Affected ProductsAI

libgphoto2 versions 0 through 2.5.33 are affected, with the vulnerability specifically triggered when processing Sony camera devices communicating via PTP. The issue is present in the Sony-variant packet unpacking code path (ptp_unpack_Sony_DPD function) in camlibs/ptp2/ptp-pack.c. The fix is available in the upstream repository via commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d (https://github.com/gphoto/libgphoto2/commit/09f8a940b1e418b5693f5c11e3016a1ad2cea62d) and addressed in GitHub Security Advisory GHSA-42cm-m9hc-r7q8 (https://github.com/gphoto/libgphoto2/security/advisories/GHSA-42cm-m9hc-r7q8). Users of libgphoto2 installations that interact with Sony camera hardware are at risk.

RemediationAI

Upgrade libgphoto2 to a version incorporating commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d or later. The upstream fix adds bounds validation to ptp_unpack_Sony_DPD() matching the protective checks already present in ptp_unpack_DPD(), eliminating the out-of-bounds read condition. Check the GitHub repository (https://github.com/gphoto/libgphoto2) and GHSA-42cm-m9hc-r7q8 advisory for patched release versions. If immediate patching is not feasible, restrict physical access to camera devices and disable Sony PTP camera support at the application or system level if not required for normal operations. Validate camera firmware from trusted sources before connecting to systems running libgphoto2, as malicious camera firmware could trigger this vulnerability. Test patched versions thoroughly in your environment before production deployment, as the bounds-checking fix may affect performance characteristics of large PTP packet processing.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy