OESA-2026-2071

is the core of gphoto2 software. It is a portable library which gives access to literally hundreds of digital cameras.

Security Fix(es):

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, a missing null terminator exists in the ptpunpackCanon_FE() function in camlibs/ptp2/ptp-pack.c (line 1377). The function copies a filename into a 13-byte buffer using strncpy without explicitly null-terminating the result. If the source data is exactly 13 bytes with no null terminator, the buffer is left unterminated, leading to out-of-bounds reads in any subsequent string operation.(CVE-2026-40334)

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the ptp_unpack_DPV() function within camlibs/ptp2/ptp-pack.c (lines 622–629). When handling UINT128 and INT128 data types, the code advances the buffer offset by *offset += 16 without verifying that 16 bytes remain in the buffer. The entry check at line 609 only ensures *offset < total (at least 1 byte available), leaving up to 15 bytes unvalidated. This could lead to reading beyond the buffer boundary, resulting in a crash or information disclosure. The issue has been patched in commit 433bde9888d70aa726e32744cd751d7dbe94379a.(CVE-2026-40335)

libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the ptp_unpack_Sony_DPD() function (line 856) within the file camlibs/ptp2/ptp-pack.c, specifically in the PTP_DPFF_Enumeration case. The function reads a 2-byte enumeration count N via dtoh16o(data, *poffset) without verifying that at least 2 bytes remain in the buffer. The standard ptp_unpack_DPD() function (line 704) includes this exact check, indicating the omission in the Sony variant was an oversight. An attacker could exploit this vulnerability to read data beyond the bounds of the process memory, potentially leading to information disclosure or application crash.(CVE-2026-40338)

libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the ptp_unpack_Sony_DPD() function (line 842) within the file camlibs/ptp2/ptp-pack.c. The function reads the FormFlag byte via dtoh8o(data, *poffset) without performing a prior bounds check. The standard ptp_unpack_DPD() function (lines 686–687) correctly validates *offset + sizeof(uint8_t) > dpdlen before this same read, but the Sony-specific variant omits this check entirely, potentially allowing read access beyond the allocated buffer.(CVE-2026-40339)

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the ptp_unpack_OI() function within camlibs/ptp2/ptp-pack.c (lines 530–563). The function validates len < PTP_oi_SequenceNumber (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. An attacker can exploit this vulnerability by sending a malicious PTP ObjectInfo response, potentially leading to sensitive information disclosure or application crash.(CVE-2026-40340)

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, an out-of-bounds read vulnerability exists in the ptp_unpack_EOS_FocusInfoEx function. This vulnerability could be exploited by an attacker to crash libgphoto2 (Denial of Service) when processing input from untrusted USB devices.(CVE-2026-40341)