Executive Summary

CVE-2026-1991 is a null pointer dereference vulnerability in the libuvc library, specifically in the function uvc_scan_streaming located in src/device.c. This vulnerability occurs when the function processes a malformed USB Video Class (UVC) descriptor, causing a pointer to remain NULL and then be dereferenced. This leads to a segmentation fault or crash because the code does not check if the pointer is valid before accessing it.

The issue arises locally when the vulnerable function attempts to access structure members through an uninitialized pointer, resulting in an invalid memory read and program termination.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause the affected application using libuvc to crash or exit unexpectedly due to a segmentation fault triggered by the null pointer dereference.

Since the vulnerability impacts availability, it can lead to denial of service conditions on systems running vulnerable versions of libuvc.

Exploitation requires local access and is considered easy, with a public proof-of-concept exploit available.

No remote exploitation is possible, but local attackers can disrupt service or stability of applications relying on libuvc.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by reproducing the crash using the libuvc test harness compiled with AddressSanitizer enabled. Running the test harness with a specially crafted malformed USB Video Class (UVC) descriptor input triggers a NULL pointer dereference in the function uvc_scan_streaming, causing a segmentation fault.

To detect the vulnerability on your system, you can compile the libuvc test harness with AddressSanitizer enabled using Clang and then run it with a malformed input file that triggers the fault. The AddressSanitizer report will show a read access violation at address 0x10, confirming the NULL pointer dereference.

Suggested commands include:

• Clone the libuvc repository.
• Compile the test harness with AddressSanitizer enabled, for example: `clang -fsanitize=address -g -o test_harness src/test.c` (adjust paths as needed).
• Run the test harness with a crafted malformed UVC descriptor input file that triggers the vulnerability.

Monitoring for segmentation faults or crashes in applications using libuvc when processing UVC descriptors may also indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Currently, no official mitigation or patch has been provided by the libuvc project for this vulnerability.

Immediate steps to mitigate the vulnerability include:

• Avoid running or exposing libuvc-based applications to untrusted or malformed USB Video Class (UVC) descriptors locally, as the attack requires local access.
• Consider using alternative products or libraries that do not contain this vulnerability.
• Monitor for updates or patches from the libuvc project and apply them once available.

Since exploitation is local and the impact is a denial of service via application crash, restricting local access and careful input validation where possible can reduce risk.

Useful 0 Not Useful 0