2459368 – (CVE-2026-40338) CVE-2026-40338 libgphoto2: libgphoto2: Information disclosure and denial of service via out-of-bounds read

Bug 2459368 (CVE-2026-40338) - CVE-2026-40338 libgphoto2: libgphoto2: Information disclosure and denial of service via out-of-bounds read

Summary: CVE-2026-40338 libgphoto2: libgphoto2: Information disclosure and denial of s...

Keywords:
Status:	NEW
Alias:	CVE-2026-40338
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2459734
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-18 00:01 UTC by OSIDB Bzimport
Modified:	2026-04-20 13:32 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-18 00:01:59 UTC

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read in the PTP_DPFF_Enumeration case of `ptp_unpack_Sony_DPD()` in `camlibs/ptp2/ptp-pack.c` (line 856). The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` at line 704 has this exact check, confirming the Sony variant omitted it by oversight. Commit 3b9f9696be76ae51dca983d9dd8ce586a2561845 fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.