NIXPKGS-2026-1178

GitHub issue published on

Permalink CVE-2026-40340

6.1 MEDIUM

CVSS version: 3.1
Attack vector (AV): PHYSICAL
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): NONE
Availability impact (A): HIGH

updated 6 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 19 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo response

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in `ptp_unpack_OI()` in `camlibs/ptp2/ptp-pack.c` (lines 530–563). The function validates `len < PTP_oi_SequenceNumber` (i.e., len < 48) but subsequently accesses offsets 48–56, up to 9 bytes beyond the validated boundary, via the Samsung Galaxy 64-bit objectsize detection heuristic. Commit 7c7f515bc88c3d0c4098ac965d313518e0ccbe33 fixes the issue.

References

https://github.com/gphoto/libgphoto2/security/advisories/GHSA-xfw3-xvjp-5wcv x_refsource_CONFIRM
https://github.com/gphoto/libgphoto2/commit/7c7f515bc88c3d0c4098ac965d313518e0ccbe33 x_refsource_MISC

Affected products

libgphoto2

==<= 2.5.33

Matching in nixpkgs

pkgs.libgphoto2

Library for accessing digital cameras

nixos-unstable 2.5.33
- nixpkgs-unstable 2.5.33
- nixos-unstable-small 2.5.33
nixos-25.11 2.5.32
- nixos-25.11-small 2.5.32
- nixpkgs-25.11-darwin 2.5.32

Package maintainers

@jcumming Jack Cummings <jack@mudshark.org>

Nixpkgs security tracker

Details of issue NIXPKGS-2026-1178

References

Affected products

Matching in nixpkgs

pkgs.libgphoto2

Package maintainers