Skip to main content

CVE-2026-40341

LOW
Buffer Over-read (CWE-126)
2026-04-18 security-advisories@github.com
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 18, 2026 - 00:40 vuln.today
Analysis Generated
Apr 18, 2026 - 00:22 vuln.today
CVE Published
Apr 18, 2026 - 00:16 nvd
LOW 3.5

DescriptionGitHub Advisory

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out of bound read in ptp_unpack_EOS_FocusInfoEx could be used to crash libgphoto2 when processing input from untrusted USB devices. Commit c385b34af260595dfbb5f9329526be5158985987 contains a patch. No known workarounds are available.

AnalysisAI

Out-of-bounds read in libgphoto2 versions up to 2.5.33 allows local attackers with physical USB access to crash the library via malformed PTP protocol data from untrusted camera devices, affecting applications using libgphoto2 for camera enumeration and control on desktop systems.

Technical ContextAI

libgphoto2 is a userspace library enabling camera communication via the Picture Transfer Protocol (PTP) and USB protocols. The vulnerability resides in the ptp_unpack_EOS_FocusInfoEx function, which parses Canon EOS-specific PTP extension data without proper bounds validation (CWE-126: Out-of-bounds Read). When a malicious or malfunctioning USB device presents crafted PTP protocol packets, the function reads past allocated buffer boundaries, triggering a denial-of-service condition. The vulnerability is triggered during device initialization or enumeration when libgphoto2 processes vendor-specific PTP packets.

Affected ProductsAI

libgphoto2 versions 2.5.33 and earlier are affected. This includes the library itself (CPE: purl:pkg:deb/debian/libgphoto2; purl:pkg:rpm/fedora/libgphoto2) and all applications statically or dynamically linked against libgphoto2, including GNOME Photos, digiKam, Gphoto2 command-line utility, and other camera-management tools. Affected distributions include Debian, Ubuntu (packaged as libgphoto2-6 and libgphoto2-6-dev), Fedora, and Red Hat systems. The fix is available in upstream commit c385b34af260595dfbb5f9329526be5158985987 and should be present in libgphoto2 version 2.5.34 or later.

RemediationAI

Update libgphoto2 to version 2.5.34 or later. On Debian/Ubuntu systems, run 'apt-get update && apt-get upgrade libgphoto2-6' or equivalent. On Fedora/RHEL, use 'dnf upgrade libgphoto2'. Verify the update includes commit c385b34af260595dfbb5f9329526be5158985987 by checking the commit log. Applications statically linked against libgphoto2 must be recompiled against the patched library version. If immediate patching is impossible in constrained environments, restrict physical USB access or disable camera enumeration at the application level (e.g., in GNOME Photos, remove the 'Camera' datasource plugin or uninstall libgphoto2-based tools); note that this completely disables camera functionality and is only suitable as temporary mitigation. Review GitHub Security Advisory GHSA-vjx3-gjp6-r2g2 for distribution-specific patch availability.

Share

CVE-2026-40341 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy