Skip to main content

Samsung CVE-2026-40340

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-18 security-advisories@github.com
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
MEDIUM
qualitative
Red Hat
6.1 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Apr 28, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in ptp_unpack_OI() in camlibs/ptp2/ptp-pack.c (lines 530-563). The function validates len < PTP_oi_SequenceNumber (i.e., len < 48) but subsequently accesses offsets 48-56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 fixes the issue.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical access to a USB-connected camera to trigger information disclosure or denial of service via malformed PTP protocol data during Samsung Galaxy device enumeration. The vulnerability exists in ptp_unpack_OI() which validates buffer boundaries at 48 bytes but subsequently reads up to 56 bytes, exceeding the boundary by 9 bytes. A fix is available in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33.

Technical ContextAI

libgphoto2 is a camera access library that communicates with digital cameras using the Picture Transfer Protocol (PTP). The vulnerability resides in the PTP unpacking routine ptp_unpack_OI() in camlibs/ptp2/ptp-pack.c (lines 530-563), which deserializes camera ObjectInfo responses. The function implements a Samsung Galaxy-specific 64-bit object size detection heuristic that causes it to read beyond validated memory boundaries. The root cause is an out-of-bounds read (CWE-125) where the function checks if len < PTP_oi_SequenceNumber (48 bytes) but then accesses memory offsets 48-56, reading 9 bytes beyond the validated boundary. This occurs when processing malformed or adversarial PTP protocol responses from a connected camera device.

Affected ProductsAI

libgphoto2 versions 2.5.33 and earlier are affected. The vulnerability specifically impacts the PTP camera library component (camlibs/ptp2/ptp-pack.c) used when communicating with Samsung Galaxy devices and potentially other PTP-compliant cameras. The fix is available in upstream commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33. GitHub Security Advisory GHSA-xfw3-xvjp-5wcv provides official vulnerability disclosure.

RemediationAI

Upgrade libgphoto2 to a version incorporating commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 or later. Check your distribution's package repository for patched versions (e.g., apt update && apt install libgphoto2-6 on Debian/Ubuntu systems after the patch is released). If immediate patching is not possible, implement compensating controls: restrict physical USB access to trusted devices only via hardware locks or connection policies, disable automatic camera detection/mounting when untrusted devices may be connected, or operate libgphoto2-dependent tools in isolated or sandboxed environments to limit information disclosure scope. The GitHub Security Advisory (GHSA-xfw3-xvjp-5wcv) provides additional context. Note that this vulnerability requires active connection to a malicious or compromised camera, so network-only deployments are unaffected.

CVE-2024-7399 HIGH POC
8.8 Aug 12

Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att

CVE-2025-4632 CRITICAL POC
9.8 May 13

Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary

CVE-2012-4333 CRITICAL POC
10.0 Aug 14

Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0

CVE-2017-16524 HIGH POC
8.8 Nov 06

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u

CVE-2015-8279 HIGH POC
8.6 Jan 15

Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un

CVE-2017-17692 HIGH POC
7.5 Dec 21

Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat

CVE-2012-6429 CRITICAL POC
10.0 Apr 04

Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7

CVE-2012-4329 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart

CVE-2012-4330 HIGH POC
7.8 Aug 14

The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long

CVE-2012-4334 CRITICAL POC
10.0 Aug 14

The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v

CVE-2015-5473 CRITICAL
9.8 Jun 01

Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary

CVE-2012-4250 CRITICAL POC
9.3 Aug 13

Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed

Share

CVE-2026-40340 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy