CVE-2026-40336 Overview
CVE-2026-40336 is a memory leak vulnerability in libgphoto2, a camera access and control library. The vulnerability exists in the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c (lines 884–885). When processing a secondary enumeration list introduced in 2024+ Sony cameras, the function overwrites dpd->FORM.Enum.SupportedValue with a new calloc() allocation without first freeing the previous allocation from line 857. This causes the original array and any string values it contains to be leaked on every property descriptor parse.
Critical Impact
Repeated memory leaks during property descriptor parsing can lead to resource exhaustion and denial of service conditions when interacting with affected Sony cameras.
Affected Products
- libgphoto2 versions up to and including 2.5.33
- Systems using libgphoto2 with 2024+ Sony cameras that utilize secondary enumeration lists
- Applications integrating libgphoto2 for camera control functionality
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40336 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40336
Vulnerability Analysis
This vulnerability is classified as CWE-401 (Missing Release of Memory after Effective Lifetime), a memory leak issue that occurs during the parsing of Picture Transfer Protocol (PTP) device property descriptors for Sony cameras. The vulnerability requires physical access to the system (attack vector: Physical) and does not require any privileges or user interaction to exploit. The impact is limited to availability, as the memory leak can eventually exhaust system resources.
The flaw was introduced to support secondary enumeration lists that are present in newer Sony camera models manufactured from 2024 onwards. When processing these enumeration lists, the ptp_unpack_Sony_DPD() function allocates memory using calloc() to store supported values. However, when a secondary enumeration list is encountered, the function allocates new memory and assigns it to the same pointer without releasing the previously allocated memory block.
Root Cause
The root cause is improper memory management in the ptp_unpack_Sony_DPD() function. Specifically, when processing property descriptors that contain both primary and secondary enumeration lists, the code path at lines 884–885 performs a new calloc() allocation that overwrites the pointer set at line 857. The original memory allocation is orphaned and becomes unreachable, resulting in a memory leak. Each time a property descriptor is parsed from an affected Sony camera, additional memory is leaked without being reclaimed.
Attack Vector
The attack vector requires physical access to the target system. An attacker would need to connect a malicious or specially crafted camera device to a system running libgphoto2. By repeatedly triggering property descriptor parsing operations, the attacker can cause progressive memory exhaustion. While this requires local physical access and results in relatively limited impact (availability only), it could potentially be used to destabilize systems that rely on libgphoto2 for automated camera management workflows.
The vulnerability is triggered through the PTP protocol communication path when:
- A Sony camera from 2024 or later is connected
- The camera device reports property descriptors with secondary enumeration lists
- The libgphoto2 library parses these descriptors using the vulnerable function
Detection Methods for CVE-2026-40336
Indicators of Compromise
- Unexpectedly high memory usage in processes utilizing libgphoto2
- Gradual memory consumption growth when interacting with Sony cameras
- System instability or out-of-memory conditions during camera operations
Detection Strategies
- Monitor memory allocation patterns in applications using libgphoto2
- Implement memory profiling for systems with automated camera workflows
- Check libgphoto2 version to confirm if versions 2.5.33 or earlier are in use
Monitoring Recommendations
- Enable memory usage monitoring for services interacting with camera hardware
- Set up alerts for abnormal memory growth patterns in camera-related processes
- Review system logs for out-of-memory events correlated with camera activity
How to Mitigate CVE-2026-40336
Immediate Actions Required
- Update libgphoto2 to a version containing commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6
- Restrict physical access to systems running vulnerable libgphoto2 versions
- Monitor memory usage on systems that cannot be immediately updated
Patch Information
The vulnerability has been fixed in commit 404ff02c75f3cb280196fc260a63c4d26cf1a8f6. Organizations should update to a version of libgphoto2 that includes this fix. The patch properly releases the previously allocated memory before assigning a new allocation, preventing the memory leak. For more details, see the GitHub Commit Update and GitHub Security Advisory GHSA-g8xw-p5wj-mrxv.
Workarounds
- Limit USB device access to prevent untrusted camera devices from connecting
- Implement memory limits for processes using libgphoto2 to contain resource exhaustion
- Disable libgphoto2 functionality if not required until patching is complete
# Configuration example
# Restrict USB device access using udev rules
# Create /etc/udev/rules.d/99-restrict-cameras.rules
SUBSYSTEM=="usb", ATTR{idVendor}=="054c", ATTR{idProduct}=="*", MODE="0600"
# Reload udev rules
sudo udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
