{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40333", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.357Z", "datePublished": "2026-04-17T23:11:11.073Z", "dateUpdated": "2026-04-20T14:56:44.091Z"}, "containers": {"cna": {"title": "libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-125", "lang": "en", "description": "CWE-125: Out-of-bounds Read", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}, {"name": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:11:11.073Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "source": {"advisory": "GHSA-hq94-cp6h-3gjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T14:51:40.405001Z", "id": "CVE-2026-40333", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:56:44.091Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40333", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T14:51:40.405001Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T14:51:41.632Z"}}], "cna": {"title": "libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c", "source": {"advisory": "GHSA-hq94-cp6h-3gjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"status": "affected", "version": "<= 2.5.33"}]}], "references": [{"url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "name": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "CWE-125: Out-of-bounds Read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:11:11.073Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40333", "state": "PUBLISHED", "dateUpdated": "2026-04-20T14:56:44.091Z", "dateReserved": "2026-04-10T22:50:01.357Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-17T23:11:11.073Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue."}], "id": "CVE-2026-40333", "lastModified": "2026-04-20T19:00:52.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.2, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.120", "references": [{"source": "[email protected]", "url": "https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53"}, {"source": "[email protected]", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "[email protected]", "type": "Primary"}]}

{"bugzilla": {"description": "libgphoto2: libgphoto2: Information disclosure and denial of service via unbounded reads", "id": "2459365", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2459365"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "status": "draft"}, "cwe": "CWE-130", "details": ["libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.", "A flaw was found in libgphoto2, a library used for camera access and control. Two functions within the library's Picture Transfer Protocol (PTP) handling component do not properly validate the size of data being read, allowing for unbounded reads. A local attacker with physical access to a system utilizing libgphoto2 could exploit this vulnerability. This could lead to the disclosure of sensitive information from memory or cause the application to crash, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, restrict physical access to systems running libgphoto2. If camera access and control via libgphoto2 is not required, consider removing the `libgphoto2` package to eliminate the attack surface."}, "name": "CVE-2026-40333", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "libgphoto2", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-17T23:11:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40333\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40333\nhttps://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53\nhttps://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp"], "threat_severity": "Moderate"}