CVE-2026-1991
Null Pointer Dereference in libuvc uvc_scan_streaming Function
Publication date: 2026-02-06
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libuvc | libuvc | to 0.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1991 is a null pointer dereference vulnerability in the libuvc library, specifically in the function uvc_scan_streaming located in src/device.c. This vulnerability occurs when the function processes a malformed USB Video Class (UVC) descriptor, causing a pointer to remain NULL and then be dereferenced. This leads to a segmentation fault or crash because the code does not check if the pointer is valid before accessing it.
The issue arises locally when the vulnerable function attempts to access structure members through an uninitialized pointer, resulting in an invalid memory read and program termination.
How can this vulnerability impact me? :
This vulnerability can cause the affected application using libuvc to crash or exit unexpectedly due to a segmentation fault triggered by the null pointer dereference.
Since the vulnerability impacts availability, it can lead to denial of service conditions on systems running vulnerable versions of libuvc.
Exploitation requires local access and is considered easy, with a public proof-of-concept exploit available.
No remote exploitation is possible, but local attackers can disrupt service or stability of applications relying on libuvc.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by reproducing the crash using the libuvc test harness compiled with AddressSanitizer enabled. Running the test harness with a specially crafted malformed USB Video Class (UVC) descriptor input triggers a NULL pointer dereference in the function uvc_scan_streaming, causing a segmentation fault.
To detect the vulnerability on your system, you can compile the libuvc test harness with AddressSanitizer enabled using Clang and then run it with a malformed input file that triggers the fault. The AddressSanitizer report will show a read access violation at address 0x10, confirming the NULL pointer dereference.
Suggested commands include:
- Clone the libuvc repository.
- Compile the test harness with AddressSanitizer enabled, for example: `clang -fsanitize=address -g -o test_harness src/test.c` (adjust paths as needed).
- Run the test harness with a crafted malformed UVC descriptor input file that triggers the vulnerability.
Monitoring for segmentation faults or crashes in applications using libuvc when processing UVC descriptors may also indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Currently, no official mitigation or patch has been provided by the libuvc project for this vulnerability.
Immediate steps to mitigate the vulnerability include:
- Avoid running or exposing libuvc-based applications to untrusted or malformed USB Video Class (UVC) descriptors locally, as the attack requires local access.
- Consider using alternative products or libraries that do not contain this vulnerability.
- Monitor for updates or patches from the libuvc project and apply them once available.
Since exploitation is local and the impact is a denial of service via application crash, restricting local access and careful input validation where possible can reduce risk.