CVE-2026-40339

MEDIUM
2026-04-18 [email protected]
Information Disclosure Buffer Overflow
5.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today

DescriptionNVD

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in ptp_unpack_Sony_DPD() in camlibs/ptp2/ptp-pack.c (line 842). The function reads the FormFlag byte via dtoh8o(data, *poffset) without a prior bounds check. The standard ptp_unpack_DPD() at lines 686-687 correctly validates *offset + sizeof(uint8_t) > dpdlen before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a connected camera to read sensitive memory and potentially cause denial of service via a specially crafted Sony camera device. The vulnerability exists in the Sony-specific PTP packet unpacking function which omits bounds validation present in the standard variant, enabling attackers with direct camera access to trigger information disclosure and minor availability impact.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-40339 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy