CVE-2026-40339 Overview
CVE-2026-40339 is an out-of-bounds read vulnerability in libgphoto2, a widely-used camera access and control library. Versions up to and including 2.5.33 contain a flaw in the ptp_unpack_Sony_DPD() function located in camlibs/ptp2/ptp-pack.c (line 842). The vulnerability occurs because the function reads the FormFlag byte via dtoh8o(data, *poffset) without performing a prior bounds check. While the standard ptp_unpack_DPD() function at lines 686–687 correctly validates *offset + sizeof(uint8_t) > dpdlen before this same read operation, the Sony variant omits this critical validation entirely.
Critical Impact
An attacker with physical access to a system running a vulnerable version of libgphoto2 could potentially trigger an out-of-bounds read, leading to information disclosure or application crashes when connecting a malicious or specially crafted camera device.
Affected Products
- libgphoto2 versions up to and including 2.5.33
- Applications and systems that depend on libgphoto2 for camera communication
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40339 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40339
Vulnerability Analysis
This out-of-bounds read vulnerability (CWE-125) exists within the Sony-specific Device Property Description (DPD) unpacking routine in libgphoto2. When parsing PTP (Picture Transfer Protocol) data from Sony cameras, the ptp_unpack_Sony_DPD() function fails to validate buffer boundaries before reading the FormFlag byte. This inconsistency with the standard ptp_unpack_DPD() implementation, which properly validates bounds, creates a security gap that can be exploited through physical access to a USB port.
The vulnerability requires physical access to exploit, limiting its attack surface. However, in environments where USB ports are accessible to untrusted parties or when connecting unknown camera devices, this vulnerability could be leveraged to read memory beyond the allocated buffer boundaries, potentially exposing sensitive information or causing denial of service through application crashes.
Root Cause
The root cause is a missing bounds check in the Sony-specific DPD unpacking function. The standard implementation properly validates that sufficient data exists in the buffer before reading (*offset + sizeof(uint8_t) > dpdlen), but this safety check was not replicated in the ptp_unpack_Sony_DPD() variant. This oversight allows the function to read beyond the allocated buffer when processing malformed or maliciously crafted PTP data.
Attack Vector
Exploitation requires physical access to a USB port on the target system. An attacker would need to connect a malicious device that presents itself as a Sony camera and provides specially crafted PTP responses designed to trigger the out-of-bounds read. The malicious device would send DPD data that causes the function to read past the end of the allocated buffer when parsing the FormFlag field.
code or the Data Type is a string (with two empty strings as
values). In both cases Form Flag should be set to 0x00 and FORM is
not present. */
if (*poffset==PTP_dpd_Sony_DefaultValue)
return 1;
+ if (*poffset + sizeof(uint8_t) > dpdlen)
+ return 1;
dpd->FormFlag = dtoh8o(data, *poffset);
ptp_debug (params, "formflag 0x%04x", dpd->FormFlag);
Source: GitHub Commit
The patch adds the missing bounds check before the FormFlag read operation, ensuring that the buffer contains sufficient data before attempting to access it.
Detection Methods for CVE-2026-40339
Indicators of Compromise
- Unexpected crashes in applications using libgphoto2 when connecting camera devices
- Segmentation faults or memory access violations in processes interfacing with USB camera hardware
- Unusual memory read patterns in processes utilizing the libgphoto2 library
Detection Strategies
- Monitor system logs for crashes or errors related to libgphoto2 or camera-related applications
- Implement USB device monitoring to detect unauthorized or suspicious camera device connections
- Use memory sanitizers (ASan, MSan) in development and testing environments to detect out-of-bounds reads
Monitoring Recommendations
- Enable enhanced logging for USB device connections and libgphoto2 interactions
- Deploy endpoint detection solutions that monitor for unusual memory access patterns
- Implement physical security controls for USB ports in sensitive environments
How to Mitigate CVE-2026-40339
Immediate Actions Required
- Update libgphoto2 to a version containing commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d or later
- Restrict physical access to USB ports on systems in sensitive environments
- Consider disabling USB camera support on systems where it is not required
Patch Information
The vulnerability has been fixed in commit 09f8a940b1e418b5693f5c11e3016a1ad2cea62d. Users should update to the latest version of libgphoto2 that includes this security fix. The patch adds the missing bounds check in the ptp_unpack_Sony_DPD() function to validate that sufficient data exists before reading the FormFlag byte.
For more information, see the GitHub Security Advisory and the patch commit.
Workarounds
- Implement USB port blocking or whitelisting policies to prevent unauthorized device connections
- Use USB device authorization controls available in modern operating systems to restrict camera device access
- Consider deploying USB host controller guards in high-security environments
# Configuration example - Disable USB camera access on Linux systems
# Add udev rule to block unauthorized camera devices
echo 'SUBSYSTEM=="usb", ATTR{bDeviceClass}=="06", MODE="0000"' | sudo tee /etc/udev/rules.d/99-block-ptp-cameras.rules
sudo udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
