{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40334", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T22:50:01.357Z", "datePublished": "2026-04-17T23:16:38.751Z", "dateUpdated": "2026-04-17T23:16:38.751Z"}, "containers": {"cna": {"title": "libgphoto2 missing null termination in ptp_unpack_Canon_FE() filename buffer in ptp-pack.c", "problemTypes": [{"descriptions": [{"cweId": "CWE-170", "lang": "en", "description": "CWE-170: Improper Null Termination", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-ph87-cc3j-c6hm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-ph87-cc3j-c6hm"}, {"name": "https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873", "tags": ["x_refsource_MISC"], "url": "https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873"}], "affected": [{"vendor": "gphoto", "product": "libgphoto2", "versions": [{"version": "<= 2.5.33", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T23:16:38.751Z"}, "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue."}], "source": {"advisory": "GHSA-ph87-cc3j-c6hm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in ptp_unpack_Canon_FE() in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation. Commit 259fc7d3bfe534ce4b114c464f55b448670ab873 patches the issue."}], "id": "CVE-2026-40334", "lastModified": "2026-04-18T00:16:37.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-18T00:16:37.257", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/commit/259fc7d3bfe534ce4b114c464f55b448670ab873"}, {"source": "security-advisories@github.com", "url": "https://github.com/gphoto/libgphoto2/security/advisories/GHSA-ph87-cc3j-c6hm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-170"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:48:43.821127+00:00", "value": {"mitigation_remediation": ["Update libgphoto2 to the patched version 2.5.34 or later as provided in commit 259fc7d3bfe534ce4b114c464f55b448670ab873", "If an update is not immediately possible, manually replace the affected ptp-pack.c file with the corrected version from the commit", "After updating or patching, restart any applications or services that rely on libgphoto2 to ensure the new code is in use"], "summary": {"action": "Apply patch", "impact": "Information disclosure via out\u2011of\u2011bounds read"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the gphoto library libgphoto2 for versions 2.5.33 and earlier. The patch is contained in commit 259fc7d3bfe534ce4b114c464f55b448670ab873, which raises the affected version to 2.5.34 and later.", "description_and_impact": "The flaw is a missing null terminator in the ptp_unpack_Canon_FE() function of libgphoto2, where a 13\u2011byte filename buffer is populated with strncpy without ensuring termination. When the source string is exactly 13 bytes long, the buffer remains unterminated and subsequent string operations can read past the buffer boundary, potentially revealing adjacent memory contents. The primary impact is information disclosure, consistent with CWE\u2011170, and the exploit does not grant code execution or privilege escalation.", "risk_and_exploitability": "The CVSS score is 3.5, indicating low severity, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local, arising when a camera device sends PTP data that the library processes. No remote exploitation path is documented, and the risk of exploitation is considered low."}}}}, "created": "2026-04-18T09:00:05.892451+00:00", "updated": "2026-04-18T09:00:05.892461+00:00", "vendors": []}