CVE-2026-40336

Name of the Vulnerable Software and Affected Versions libgphoto2 versions prior to 2.5.34

Description A memory leak exists in the ptp unpack Sony DPD() function within camlibs/ptp2/ptp-pack.c. When processing a secondary enumeration list used in 2024+ Sony cameras, the function overwrites the dpd->FORM.Enum.SupportedValue variable with a new allocation without freeing the previous one. This results in the original array and its string values being leaked during every property descriptor parse.

Recommendations Update to version 2.5.34 or later.