2459357 – (CVE-2026-40339) CVE-2026-40339 libgphoto2: libgphoto2: Information Disclosure via out-of-bounds read

Bug 2459357 (CVE-2026-40339) - CVE-2026-40339 libgphoto2: libgphoto2: Information Disclosure via out-of-bounds read

Summary: CVE-2026-40339 libgphoto2: libgphoto2: Information Disclosure via out-of-boun...

Keywords:
Status:	NEW
Alias:	CVE-2026-40339
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2459731
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-18 00:01 UTC by OSIDB Bzimport
Modified:	2026-04-20 13:28 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-18 00:01:25 UTC

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 842). The function reads the FormFlag byte via `dtoh8o(data, *poffset)` without a prior bounds check. The standard `ptp_unpack_DPD()` at lines 686–687 correctly validates `*offset + sizeof(uint8_t) > dpdlen` before this same read, but the Sony variant omits this check entirely. Commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.