NIXPKGS-2026-1174

GitHub issue published on

Permalink CVE-2026-40333

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): PHYSICAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 19 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

libgphoto2 has OOB read in ptp_unpack_EOS_ImageFormat() and ptp_unpack_EOS_CustomFuncEx() due to missing length parameter in ptp-pack.c

libgphoto2 is a camera access and control library. In versions up to and including 2.5.33, two functions in camlibs/ptp2/ptp-pack.c accept a data pointer but no length parameter, performing unbounded reads. Their callers in ptp_unpack_EOS_events() have xsize available but never pass it, leaving both functions unable to validate reads against the actual buffer boundary. Commit 1817ecead20c2aafa7549dac9619fe38f47b2f53 patches the issue.

References

https://github.com/gphoto/libgphoto2/security/advisories/GHSA-hq94-cp6h-3gjp x_refsource_CONFIRM
https://github.com/gphoto/libgphoto2/commit/1817ecead20c2aafa7549dac9619fe38f47b2f53 x_refsource_MISC

Affected products

libgphoto2

==<= 2.5.33

Matching in nixpkgs

pkgs.libgphoto2

Library for accessing digital cameras

nixos-unstable 2.5.33
- nixpkgs-unstable 2.5.33
- nixos-unstable-small 2.5.33
nixos-25.11 2.5.32
- nixos-25.11-small 2.5.32
- nixpkgs-25.11-darwin 2.5.32

Package maintainers

@jcumming Jack Cummings <jack@mudshark.org>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1174

References

Affected products

Matching in nixpkgs

pkgs.libgphoto2

Package maintainers