CVE-2026-40340 Overview
CVE-2026-40340 is an out-of-bounds read vulnerability affecting libgphoto2, a widely-used camera access and control library. The vulnerability exists in the ptp_unpack_OI() function within camlibs/ptp2/ptp-pack.c (lines 530–563). The flaw stems from insufficient boundary validation where the function validates len < PTP_oi_SequenceNumber (i.e., len < 48) but subsequently accesses offsets 48–56, reading up to 9 bytes beyond the validated boundary via the Samsung Galaxy 64-bit objectsize detection heuristic.
Critical Impact
Physical access exploitation could lead to disclosure of sensitive memory contents or cause application crashes, impacting confidentiality and availability of systems using libgphoto2 for camera communications.
Affected Products
- libgphoto2 versions up to and including 2.5.33
- Applications and systems utilizing libgphoto2 for camera access
- Linux distributions packaging vulnerable libgphoto2 versions
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40340 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40340
Vulnerability Analysis
This out-of-bounds read vulnerability (CWE-125) occurs in the PTP ObjectInfo parsing logic. The ptp_unpack_OI() function is responsible for unpacking Picture Transfer Protocol (PTP) ObjectInfo structures received from connected cameras. A specific code path designed to handle Samsung Galaxy devices with 64-bit object sizes fails to properly validate buffer boundaries before accessing memory at offsets 48–56.
The vulnerability requires physical access to exploit, as an attacker would need to connect a malicious or specially-crafted device that sends malformed PTP packets. Upon successful exploitation, an attacker could read up to 9 bytes of adjacent memory, potentially disclosing sensitive information, or trigger a denial of service through application crashes.
Root Cause
The root cause is insufficient boundary checking in the Samsung Galaxy 64-bit objectsize detection heuristic. The original validation only ensures the buffer length is at least 48 bytes (len < PTP_oi_SequenceNumber), but the subsequent code path accesses memory at offsets 48–56 without verifying the buffer contains sufficient data. This disconnect between validation and access creates the out-of-bounds read condition.
Attack Vector
The attack vector requires physical access to the target system. An attacker would need to:
- Connect a malicious USB device masquerading as a PTP-compatible camera
- Send specially crafted PTP ObjectInfo packets with insufficient data length
- Trigger the Samsung Galaxy detection heuristic code path
- Cause the vulnerable function to read beyond the allocated buffer
The physical access requirement limits the exploitability, though it remains a concern for shared workstations, kiosk systems, or scenarios where USB device connections are not strictly controlled.
{
char *capture_date;
- if (!data || len < PTP_oi_SequenceNumber)
+ if (!data || len < PTP_oi_filenamelen + 5)
return;
oi->Filename = oi->Keywords = NULL;
Source: GitHub Commit Reference
The security patch modifies the boundary check from PTP_oi_SequenceNumber to PTP_oi_filenamelen + 5, ensuring the buffer is validated to contain all data that will be accessed, including the offsets used by the Samsung Galaxy detection logic.
Detection Methods for CVE-2026-40340
Indicators of Compromise
- Unexpected crashes or segmentation faults in applications using libgphoto2
- Unusual USB device connection events followed by application instability
- Memory access violations in ptp_unpack_OI() or related PTP parsing functions
- Log entries indicating malformed PTP ObjectInfo packets from connected devices
Detection Strategies
- Monitor for segmentation faults or memory access errors in processes linked against libgphoto2
- Implement USB device whitelisting to detect unauthorized PTP device connections
- Deploy memory sanitizers (AddressSanitizer) in development environments to detect out-of-bounds accesses
- Review system logs for unusual camera device enumeration patterns
Monitoring Recommendations
- Enable application crash reporting for software utilizing libgphoto2
- Monitor USB connection events for unexpected PTP device class connections
- Implement endpoint detection solutions to track USB device activity
- Set up alerts for repeated application crashes involving camera access functionality
How to Mitigate CVE-2026-40340
Immediate Actions Required
- Update libgphoto2 to a version containing commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 or later
- Review and restrict USB device connection policies on sensitive systems
- Implement USB device whitelisting where possible
- Consider disabling unused USB ports on high-security workstations
Patch Information
The vulnerability is fixed in commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33. The fix corrects the boundary validation in ptp_unpack_OI() to ensure all accessed offsets are within the validated buffer range. Organizations should update to a libgphoto2 version containing this fix or apply the patch manually if building from source.
For additional details, refer to the GitHub Security Advisory and the patch commit.
Workarounds
- Restrict physical access to systems running libgphoto2-based applications
- Disable USB ports or implement strict USB device access controls via udev rules
- Use USB lockdown solutions to prevent unauthorized device connections
- Consider network isolation for systems that must remain unpatched temporarily
# Example udev rule to restrict PTP device access
# Add to /etc/udev/rules.d/99-ptp-restrict.rules
SUBSYSTEM=="usb", ATTR{bDeviceClass}=="06", MODE="0000"
# Reload udev rules
sudo udevadm control --reload-rules
sudo udevadm trigger
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
