{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40333", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.357Z", "datePublished": "2026-04-17T23:11:11.073Z", "dateUpdated": "2026-04-20T14:56:44.091Z"}, "containers": {"cna": {"title": "libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}, {"name": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:11:11.073Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "source": {"advisory": "GHSA-hq94-cp6h-3gjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:51:40.405001Z", "id": "CVE-2026-40333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:44.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:51:40.405001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:51:41.632Z"}}], "cna": {"title": "libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c", "source": {"advisory": "GHSA-hq94-cp6h-3gjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"status": "affected", "version": "<= 2.5.33"}]}], "references": [{"url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "name": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:11:11.073Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40333", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:44.091Z", "dateReserved": "2026-04-10T22:50:01.357Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T23:11:11.073Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "id": "CVE-2026-40333", "lastModified": "2026-04-20T19:00:52.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.120", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}, {"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "libgphoto2: libgphoto2: Information disclosure and denial of service via unbounded reads", "id": "2459365", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459365"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.", "A flaw was found in libgphoto2, a library used for camera access and control. Two functions within the library's Picture Transfer Protocol (PTP) handling component do not properly validate the size of data being read, allowing for unbounded reads. A local attacker with physical access to a system utilizing libgphoto2 could exploit this vulnerability. This could lead to the disclosure of sensitive information from memory or cause the application to crash, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, restrict physical access to systems running libgphoto2. If camera access and control via libgphoto2 is not required, consider removing the `libgphoto2` package to eliminate the attack surface."}, "name": "CVE-2026-40333", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-17T23:11:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40333\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40333\nhttps://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53\nhttps://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.5.33]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "libgphoto2", "vendor": "gphoto"}], "analysis": {"en": {"generated_at": "2026-04-22T07:42:23.258003+00:00", "value": {"mitigation_remediation": ["Apply the patch referenced by commit 1817ecead20c2aafa7549dac9619fe38f47b2f53, which adds missing length checks that address CWE\u2011125 and CWE\u2011130 by enforcing proper bounds checks on data reads.", "Rebuild and relink all applications that depend on libgphoto2 against the updated library to ensure the bounds\u2011validation fixes are active.", "If an upgrade cannot be performed immediately, restrict or disable camera functions that invoke the vulnerable PTP routines, isolate the process with sandboxing or strict security controls, and monitor for anomalous memory accesses to mitigate exploitation of the out\u2011of\u2011bounds read."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "gphoto's libgphoto2 library releases up to and including version 2.5.33 are vulnerable. The library is widely used for camera access and control, meaning that any application that links against these builds or compiles them into a binary is at risk if it processes data from a PTP\u2011compliant camera.", "description_and_impact": "The libgphoto2 library suffers from out-of-bounds memory reads caused by two unpacking functions that accept a data pointer but omit a length parameter. Because callers provide no explicit size check, the functions read beyond the allocated buffer, potentially exposing arbitrary data from the process\u2019s memory space. This flaw corresponds to CWE\u2011125 and CWE\u2011130 and can lead to disclosure of confidential information if exploited.", "risk_and_exploitability": "The CVSS base score of 6.1 classifies the issue as moderate severity. The EPSS score of <\u00a01% indicates that the likelihood of public exploitation is very low, and the flaw is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is local or device\u2011centric: an attacker must be able to supply crafted PTP packets to the library, such as through a malicious camera firmware, a compromised camera, or a network conduit that can inject data at the transport layer. With the missing size validation, any malformed payload could read beyond buffer boundaries and leak memory contents to the running process."}}}}, "created": "2026-04-18T09:00:05.892893+00:00", "updated": "2026-04-22T07:45:11.740911+00:00", "vendors": ["gphoto", "gphoto$PRODUCT$libgphoto2"]}