Login Sign Up

CVE-2026-1991

3.3 LOW
Denial of Service

📋 TL;DR

This vulnerability in libuvc allows local attackers to cause a denial of service through null pointer dereference in the UVC descriptor handler. Affected systems include any applications using libuvc version 0.0.7 or earlier for USB video device handling. The attack requires local access to the system.

💻 Affected Systems

Products:
  • libuvc
Versions: up to and including 0.0.7
Operating Systems: Linux, Windows, macOS, BSD systems using libuvc
Default Config Vulnerable: ⚠️ Yes
Notes: Any application linking against vulnerable libuvc versions is affected when processing UVC device descriptors.

📦 What is this software?

Libuvc by Libuvc

View all CVEs affecting Libuvc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crash leading to denial of service for USB video functionality, potentially affecting dependent services.

🟠

Likely Case

Local user causes application instability or crash when interacting with USB video devices.

🟢

If Mitigated

Minimal impact with proper privilege separation and application sandboxing.

🌐 Internet-Facing: LOW - Attack requires local access, not remotely exploitable.
🏢 Internal Only: MEDIUM - Local attackers can cause service disruption but cannot escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires local access and interaction with USB video devices. Proof of concept available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://github.com/libuvc/libuvc/issues/300

Restart Required: Yes

Instructions:

No official patch available. Monitor GitHub repository for updates. Consider workarounds or alternative libraries.

🔧 Temporary Workarounds

Restrict USB device access

linux

Limit which users can access USB video devices to reduce attack surface

# Use udev rules to restrict device access
# Example: /etc/udev/rules.d/99-usb-video.rules
SUBSYSTEM=="video4linux", GROUP="video", MODE="0660"

Application sandboxing

linux

Run applications using libuvc in restricted environments

# Use firejail or similar sandboxing tools
firejail --net=none --private /path/to/application

🧯 If You Can't Patch

  • Implement strict user privilege separation - ensure applications using libuvc run with minimal privileges
  • Monitor system logs for application crashes related to USB video device handling

🔍 How to Verify

Check if Vulnerable:

Check libuvc version: pkg-config --modversion libuvc or check library version in application dependencies

Check Version:

pkg-config --modversion libuvc 2>/dev/null || echo "libuvc not found"

Verify Fix Applied:

Verify libuvc version is greater than 0.0.7 when patch becomes available

📡 Detection & Monitoring

Log Indicators:

  • Application segmentation faults when accessing USB video devices
  • System logs showing null pointer dereference in libuvc processes

Network Indicators:

  • No network indicators - local vulnerability only

SIEM Query:

process.name:"*" AND error:"segmentation fault" AND module:"libuvc"

📊 Metadata

CVE ID: CVE-2026-1991
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-404
EPSS Score: 0.01% exploit probability (2.5th percentile)
Published: February 6, 2026
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1991, you might also want to check these:

CVE-2025-38385 7.8

This CVE describes a kernel warning triggered during USB device disconnection in the Linux kernel's ...

Same vulnerability type (CWE-404)
CVE-2022-23033 7.8

This Xen hypervisor vulnerability on ARM systems allows guest virtual machines to retain access to m...

Same vulnerability type (CWE-404)
CVE-2021-0984 7.8

This vulnerability in Android 12 allows local privilege escalation without user interaction. An inco...

Same vulnerability type (CWE-404)