CVE-2026-1991 identifies a null pointer dereference vulnerability in the libuvc library, specifically in the uvc_scan_streaming function located in src/device.c, which handles UVC (USB Video Class) descriptors. The flaw occurs when the function improperly handles certain input or state conditions, leading to dereferencing a null pointer. This results in a crash of the process using libuvc, causing a denial of service (DoS). The vulnerability affects all versions up to and including 0.0.7. Exploitation requires local access with low privileges, no user interaction, and no authentication, making it somewhat limited in scope. The CVSS 4.0 base score of 4.8 reflects the medium severity, considering the attack vector is local and the impact is primarily availability loss. The vulnerability does not impact confidentiality or integrity. The exploit code has been made public, increasing the risk of exploitation, although no active exploitation in the wild has been reported. The libuvc project has been notified but has not yet released a patch or fix, leaving users exposed. Libuvc is commonly used in applications that interface with USB video devices, such as webcams and video capture tools, across various operating systems.

The primary impact of this vulnerability is denial of service, where an attacker with local access can cause applications or services relying on libuvc to crash. This could disrupt video capture or streaming functionalities, affecting user experience and potentially critical systems that depend on video input, such as security cameras or conferencing tools. While the vulnerability does not allow privilege escalation, remote code execution, or data leakage, the availability impact could be significant in environments where continuous video streaming is essential. Organizations deploying libuvc in embedded devices, IoT products, or multimedia applications may face operational interruptions. The public availability of exploit code increases the likelihood of opportunistic attacks, especially in environments where local access is possible, such as multi-user systems or shared devices.

Since no official patch is currently available, organizations should implement several practical mitigations: 1) Restrict local access to systems running libuvc to trusted users only, minimizing the risk of local exploitation. 2) Employ process monitoring and automatic restart mechanisms for applications using libuvc to reduce downtime caused by crashes. 3) Use containerization or sandboxing to isolate applications using libuvc, limiting the impact of a crash on the broader system. 4) Monitor for unusual application crashes or system logs indicating null pointer dereferences related to libuvc. 5) Engage with the libuvc project or community to track patch releases and apply updates promptly once available. 6) For critical systems, consider alternative libraries or solutions for USB video handling until the vulnerability is resolved. 7) Implement strict access controls and audit local user activities to detect potential exploitation attempts.