DNA View

CVE-2026-40333

Medium

Low Medium High Critical

6.1

CVSS Score

Published: Apr 18, 2026

Last Modified: Apr 18, 2026

CWE: CWE-125

Vulnerability Description

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.

CVSS Metrics

Common Vulnerability Scoring System

Vector String:

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

References & Resources

Severity Details

6.1

out of 10.0

Medium

Weakness Type (CWE)

CWE-125 Top 25 #11

Out-of-bounds Read

Description: The product reads data past the end, or before the beginning, of the intended buffer.
Typical Severity: High
Abstraction Level: Base

View CWE Details on MITRE

Key Information

Published Date: April 18, 2026

External Resources

NIST NVD

National Vulnerability Database

MITRE CVE

Official CVE record

CVE Vulnerabilities

Posts & Pages