{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"LOW" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 856) within the file `camlibs/ptp2/ptp-pack.c`, specifically in the `PTP_DPFF_Enumeration` case. The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that at least 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` function (line 704) includes this exact check, indicating the omission in the Sony variant was an oversight. An attacker could exploit this vulnerability to read data beyond the bounds of the process memory, potentially leading to information disclosure or application crash.", "category":"general", "title":"Synopsis" } ], "publisher":null, "references":[ { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40338" }, { "summary":"CVE-2026-40338 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/cve/2026/csaf-openeuler-cve-2026-40338.json" }, { "summary":"openEuler-SA-2026-2071", "category":"self", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2071" }, { "summary":"CVE-2026-40338", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-40338&packageName=libgphoto2" } ], "title":"openEuler cve CVE-2026-40338", "tracking":{ "initial_release_date":"2026-04-28T10:54:57+08:00", "revision_history":[ { "date":"2026-04-28T10:54:57+08:00", "summary":"Initial", "number":"1.0.0" } ], "generator":{ "date":"2026-04-28T10:54:57+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2026-04-28T10:54:57+08:00", "id":"CVE-2026-40338", "version":"1.0.0", "status":"interim" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"openEuler-22.03-LTS-SP4", "name":"openEuler-22.03-LTS-SP4" }, "name":"openEuler-22.03-LTS-SP4", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-2.5.18-5.oe2203sp4.aarch64.rpm", "name":"libgphoto2-2.5.18-5.oe2203sp4.aarch64.rpm" }, "name":"libgphoto2-2.5.18-5.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64.rpm", "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64.rpm" }, "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64.rpm", "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64.rpm" }, "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64.rpm", "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64.rpm" }, "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-2.5.18-5.oe2203sp4.src.rpm", "name":"libgphoto2-2.5.18-5.oe2203sp4.src.rpm" }, "name":"libgphoto2-2.5.18-5.oe2203sp4.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-2.5.18-5.oe2203sp4.x86_64.rpm", "name":"libgphoto2-2.5.18-5.oe2203sp4.x86_64.rpm" }, "name":"libgphoto2-2.5.18-5.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64.rpm", "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64.rpm" }, "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64.rpm", "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64.rpm" }, "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64.rpm", "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64.rpm" }, "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP4" }, "product_id":"libgphoto2-help-2.5.18-5.oe2203sp4.noarch.rpm", "name":"libgphoto2-help-2.5.18-5.oe2203sp4.noarch.rpm" }, "name":"libgphoto2-help-2.5.18-5.oe2203sp4.noarch.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-2.5.18-5.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-2.5.18-5.oe2203sp4.aarch64", "name":"libgphoto2-2.5.18-5.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64", "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64", "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64", "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.aarch64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-2.5.18-5.oe2203sp4.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-2.5.18-5.oe2203sp4.src", "name":"libgphoto2-2.5.18-5.oe2203sp4.src as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-2.5.18-5.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-2.5.18-5.oe2203sp4.x86_64", "name":"libgphoto2-2.5.18-5.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64", "name":"libgphoto2-debuginfo-2.5.18-5.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64", "name":"libgphoto2-debugsource-2.5.18-5.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64", "name":"libgphoto2-devel-2.5.18-5.oe2203sp4.x86_64 as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP4", "product_reference":"libgphoto2-help-2.5.18-5.oe2203sp4.noarch.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP4:libgphoto2-help-2.5.18-5.oe2203sp4.noarch", "name":"libgphoto2-help-2.5.18-5.oe2203sp4.noarch as a component of openEuler-22.03-LTS-SP4" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2026-40338", "notes":[ { "text":"libgphoto2 is an open-source library for accessing and controlling cameras. Versions up to and including 2.5.33 contain an out-of-bounds read vulnerability in the `ptp_unpack_Sony_DPD()` function (line 856) within the file `camlibs/ptp2/ptp-pack.c`, specifically in the `PTP_DPFF_Enumeration` case. The function reads a 2-byte enumeration count N via `dtoh16o(data, *poffset)` without verifying that at least 2 bytes remain in the buffer. The standard `ptp_unpack_DPD()` function (line 704) includes this exact check, indicating the omission in the Sony variant was an oversight. An attacker could exploit this vulnerability to read data beyond the bounds of the process memory, potentially leading to information disclosure or application crash.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } }, "remediations":[ { "product_ids":{ "$ref":"$.vulnerabilities[0].product_status.fixed" }, "details":"libgphoto2 security update", "category":"vendor_fix", "url":"https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-2071" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.2, "vectorString":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L", "version":"3.1" }, "products":{ "$ref":"$.vulnerabilities[0].product_status.fixed" } } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2026-40338" } ] }