CVE-2026-40335 Overview
CVE-2026-40335 is an out-of-bounds read vulnerability affecting libgphoto2, a widely used camera access and control library. The vulnerability exists in the ptp_unpack_DPV() function within camlibs/ptp2/ptp-pack.c at lines 622-629. Specifically, the UINT128 and INT128 case handlers advance the offset pointer by 16 bytes without properly verifying that 16 bytes remain available in the buffer. The existing boundary check at line 609 only confirms that *offset < total (guaranteeing at least 1 byte is available), leaving up to 15 bytes unvalidated and potentially triggering an out-of-bounds memory read.
Critical Impact
Physical access to a system with a malicious or specially crafted camera device could allow an attacker to read sensitive data from memory beyond buffer boundaries, potentially leaking confidential information or causing application instability.
Affected Products
- libgphoto2 versions up to and including 2.5.33
- Applications and systems integrating libgphoto2 for camera communication
- Linux distributions packaging vulnerable libgphoto2 versions
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40335 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40335
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read). The flaw occurs during the unpacking of Picture Transfer Protocol (PTP) Device Property Values when handling 128-bit integer types. The ptp_unpack_DPV() function processes various data types from camera devices, and when encountering UINT128 or INT128 values, it unconditionally advances the buffer offset by 16 bytes.
The core issue stems from insufficient boundary validation—the function only verifies that at least one byte remains in the buffer before processing, rather than confirming that the full 16 bytes required for 128-bit integers are available. This allows a malicious device to craft PTP responses that trigger reads beyond the allocated buffer boundaries.
Root Cause
The root cause is an insufficient bounds check in the switch-case handlers for PTP_DTC_UINT128 and PTP_DTC_INT128 data types. The entry condition at line 609 (*offset < total) provides minimal validation, only ensuring at least 1 byte exists. When processing 128-bit types, the code blindly increments the offset by 16 without verifying buffer capacity, creating a window where 15 bytes could be read from unallocated memory.
Attack Vector
This vulnerability requires physical access to the target system (AV:P). An attacker would need to connect a malicious or compromised camera device that sends specially crafted PTP responses containing UINT128 or INT128 values when the buffer does not contain sufficient data. When the vulnerable function processes these responses, it reads beyond the buffer boundaries, potentially exposing sensitive memory contents or causing the application to crash.
// Security patch in camlibs/ptp2/ptp-pack.c
// Source: https://github.com/gphoto/libgphoto2/commit/433bde9888d70aa726e32744cd751d7dbe94379a
case PTP_DTC_UINT64: CTVAL(value->u64,dtoh64a); break;
case PTP_DTC_UINT128:
+ if (total - *offset < 16)
+ return 0;
*offset += 16;
/*fprintf(stderr,"unhandled unpack of uint128n");*/
break;
case PTP_DTC_INT128:
+ if (total - *offset < 16)
+ return 0;
*offset += 16;
/*fprintf(stderr,"unhandled unpack of int128n");*/
break;
The patch adds explicit validation to ensure 16 bytes remain in the buffer before advancing the offset, returning 0 (indicating failure) if insufficient data is available.
Detection Methods for CVE-2026-40335
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using libgphoto2 when connecting camera devices
- Memory access violations logged by system monitoring tools during PTP communication
- Unusual camera device enumeration or connection behavior
- Application core dumps showing memory access issues in ptp_unpack_DPV() or related functions
Detection Strategies
- Monitor system logs for segmentation faults or memory access errors in processes using libgphoto2
- Deploy memory sanitizers (AddressSanitizer, Valgrind) in development and testing environments to catch out-of-bounds reads
- Implement USB device monitoring to detect unauthorized or suspicious camera device connections
- Use SentinelOne's behavioral AI to detect anomalous memory access patterns in camera-handling applications
Monitoring Recommendations
- Enable verbose logging for applications that interface with camera devices via libgphoto2
- Monitor /var/log/syslog and /var/log/messages for PTP-related errors or crashes
- Deploy endpoint detection solutions capable of monitoring USB device enumeration events
- Establish baseline behavior for camera communication processes to identify deviations
How to Mitigate CVE-2026-40335
Immediate Actions Required
- Update libgphoto2 to a patched version that includes commit 433bde9888d70aa726e32744cd751d7dbe94379a
- Restrict physical USB port access on sensitive systems where feasible
- Implement USB device whitelisting to prevent unauthorized camera devices from connecting
- Audit systems to identify applications dependent on vulnerable libgphoto2 versions
Patch Information
The vulnerability has been addressed in commit 433bde9888d70aa726e32744cd751d7dbe94379a. This patch adds proper bounds checking for UINT128 and INT128 data types, ensuring that 16 bytes are available in the buffer before advancing the offset. Users should update to a libgphoto2 version containing this fix. Refer to the GitHub Security Advisory and GitHub Commit Details for additional information.
Workarounds
- Disable or restrict USB port access on systems where camera functionality is not required
- Implement USB device class filtering to block unauthorized PTP/MTP devices at the kernel level
- Use USB guard solutions to whitelist only trusted camera devices by vendor and product ID
- Consider network isolation for systems that must use vulnerable libgphoto2 versions until patches can be applied
# Example: Block PTP/MTP device class using usbguard
# Install usbguard and configure device policy
sudo apt-get install usbguard
# Create policy to block unauthorized imaging devices (class 06h)
echo 'block with-interface equals { 06:*:* }' | sudo tee -a /etc/usbguard/rules.conf
sudo systemctl restart usbguard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
