CVE-2026-40341 Overview
CVE-2026-40341 is an out-of-bounds read vulnerability affecting libgphoto2, a widely-used camera access and control library. The vulnerability exists in the ptp_unpack_EOS_FocusInfoEx function and can be exploited through malicious USB devices to crash applications using the library. This vulnerability affects versions up to and including 2.5.33.
Critical Impact
An attacker with physical access can connect a malicious USB device to trigger an out-of-bounds read, causing a denial of service condition by crashing libgphoto2.
Affected Products
- libgphoto2 versions up to and including 2.5.33
- Applications and systems utilizing libgphoto2 for camera control
- Linux distributions packaging vulnerable libgphoto2 versions
Discovery Timeline
- 2026-04-18 - CVE CVE-2026-40341 published to NVD
- 2026-04-20 - Last updated in NVD database
Technical Details for CVE-2026-40341
Vulnerability Analysis
The vulnerability is classified as CWE-126 (Buffer Over-read) and resides in the ptp_unpack_EOS_FocusInfoEx function within camlibs/ptp2/ptp-pack.c. The function processes focus information data from Canon EOS cameras using the Picture Transfer Protocol (PTP). Prior to the fix, the function would directly read multiple 16-bit and 32-bit values from the input buffer without first verifying that the buffer contained sufficient data.
This out-of-bounds read condition occurs because the function attempted to access data at specific offsets (e.g., (*data) + 4, (*data) + 6, etc.) without validating that datasize was large enough to accommodate these reads. When processing malformed data from an untrusted USB device, this could result in reading beyond the allocated buffer boundaries.
Root Cause
The root cause is insufficient input validation in the ptp_unpack_EOS_FocusInfoEx function. The original implementation immediately began extracting structured data from the input buffer using hardcoded offsets without first checking if the provided datasize parameter indicated a buffer large enough to contain the expected data fields. This lack of bounds checking allows an attacker-controlled USB device to provide a truncated or malformed data payload that triggers reads past the end of the allocated buffer.
Attack Vector
Exploitation requires physical access to the target system to connect a malicious USB device masquerading as a camera. When the system interacts with this device and libgphoto2 processes the crafted PTP data, the out-of-bounds read occurs. While the impact is primarily a denial of service (crash), the vulnerability could potentially leak small amounts of memory information depending on how the read data is subsequently processed or logged.
The following patch was applied to fix the vulnerability:
static inline char*
ptp_unpack_EOS_FocusInfoEx (PTPParams* params, const unsigned char** data, uint32_t datasize)
{
- uint32_t size = dtoh32a( *data );
- uint32_t halfsize = dtoh16a( (*data) + 4);
- uint32_t version = dtoh16a( (*data) + 6);
- uint32_t focus_points_in_struct = dtoh16a( (*data) + 8);
- uint32_t focus_points_in_use = dtoh16a( (*data) + 10);
- uint32_t sizeX = dtoh16a( (*data) + 12);
- uint32_t sizeY = dtoh16a( (*data) + 14);
- uint32_t size2X = dtoh16a( (*data) + 16);
- uint32_t size2Y = dtoh16a( (*data) + 18);
+ uint32_t size;
+ uint32_t halfsize;
+ uint32_t version;
+ uint32_t focus_points_in_struct;
+ uint32_t focus_points_in_use;
+ uint32_t sizeX;
+ uint32_t sizeY;
+ uint32_t size2X;
+ uint32_t size2Y;
uint32_t i;
uint32_t maxlen;
char *str, *p;
+ if (datasize<4) {
+ ptp_error(params, "FocusInfoEx has invalid size (%d)", datasize);
+ return strdup("bad size 0");
+ }
+
Source: GitHub Commit Details
Detection Methods for CVE-2026-40341
Indicators of Compromise
- Unexpected application crashes when USB camera devices are connected
- System log entries indicating segmentation faults or memory access violations in processes using libgphoto2
- Unusual USB device connection events followed by application terminations
Detection Strategies
- Monitor system logs for crashes in applications that utilize libgphoto2 functionality
- Implement USB device monitoring to detect and alert on unrecognized or suspicious camera devices
- Use memory debugging tools (such as AddressSanitizer) during development to detect out-of-bounds access patterns
Monitoring Recommendations
- Enable verbose logging for camera-related services to capture potential exploitation attempts
- Monitor for unexpected process terminations in photo management or camera control applications
- Implement USB device whitelisting on sensitive systems to prevent unauthorized device connections
How to Mitigate CVE-2026-40341
Immediate Actions Required
- Update libgphoto2 to a version containing commit c385b34af260595dfbb5f9329526be5158985987 or later
- Restrict physical access to systems where untrusted USB devices could be connected
- Consider disabling USB ports on high-security systems where camera functionality is not required
Patch Information
A patch is available in the libgphoto2 repository. The fix adds proper bounds checking to validate that the input buffer contains sufficient data before attempting to read from it. Organizations should update to a patched version of libgphoto2 as soon as possible. For detailed patch information, refer to the GitHub Commit Details and the GitHub Security Advisory.
Workarounds
- No official workarounds are available for this vulnerability according to the security advisory
- Implement strict physical access controls to prevent unauthorized USB device connections
- Use USB port blockers or disable USB ports where camera functionality is not essential
- Apply the patch as the primary remediation strategy
# Verify libgphoto2 version and check for vulnerable installations
pkg-config --modversion libgphoto2
# If using a package manager, check for available updates
apt list --upgradable 2>/dev/null | grep libgphoto2
dnf check-update libgphoto2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
