CVE-2025-44560 - Vulnerability Details

- Buffer Overflow in owntone‑Server Due to Missing Recursive Validation

Description

owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.

Published: 2026-04-10

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The owntone‑server software contains a buffer overflow vulnerability caused by insufficient recursive input validation. This flaw allows an attacker to write arbitrary data outside of the intended buffer boundaries, potentially corrupting memory and affecting the stability or security of the process. The weakness is identified as CWE‑120, which involves an out‑of‑bounds write.

Affected Systems

The issue appears in owntone‑server at commit 2ca10d9 and is present in any earlier releases that include the same code path. No other vendors or products are known to be affected, so only installations of this software version are at risk.

Risk and Exploitability

The vulnerability scores a CVSS base score of 9.8, indicating a very high severity level. The EPSS score is below 1 %, suggesting that exploitation attempts are currently rare, and it is not listed in CISA's KEV catalog. Based on the description, the likely attack vector is through malformed input supplied to the server, which could be local or remote if the vulnerable functionality is reachable across a network. The potential impact includes program corruption, denial of service, or in the worst case arbitrary code execution if the overflow is leveraged successfully.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Owntone

Owntone-server

90%

Version	Status	Scheme	Platform
`2ca10d9`	affected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Determine whether the running owntone‑server installation is at or older than commit 2ca10d9 by checking the commit hash or version string.
If a newer version or patch is available that eliminates the buffer overflow, upgrade immediately; otherwise, apply a local code patch by revising the recursive check logic in the vulnerable module.
Run the server under stricter security controls: restrict network exposure to trusted hosts, place it in a sandbox or container, and monitor for anomalous traffic.
Enable operating‑system memory protection features such as ASLR, stack canaries, and non‑executable memory to mitigate the impact if an overflow does occur.
Maintain regular security updates for the operating system and the owntone‑server repository to ensure any future fixes are applied promptly.

Generated by OpenCVE AI on April 14, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00056.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3
https://github.com/owntone/owntone-server/issues/1873

History

Wed, 15 Apr 2026 16:15:00 +0000

Type	Values Removed	Values Added
Title		Buffer Overflow in owntone‑Server Due to Missing Recursive Validation

Tue, 14 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Title	Owntone‑Server Buffer Overflow Due to Missing Recursive Checking
Weaknesses	CWE-119 CWE-787

Tue, 14 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-120
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 14:30:00 +0000

Type	Values Removed	Values Added
Title		Owntone‑Server Buffer Overflow Due to Missing Recursive Checking
Weaknesses		CWE-119 CWE-787

Mon, 13 Apr 2026 13:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Owntone Owntone owntone-server
Vendors & Products		Owntone Owntone owntone-server

Fri, 10 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description		owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.
References		https://gist.github.com/wenwenyuyu/517851c3fe38c4f97b2d1940597da2d3 https://github.com/owntone/owntone-server/issues/1873

Subscriptions

Owntone Owntone-server

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-04-10T00:00:00.000Z

Updated: 2026-04-14T14:06:50.236Z

Reserved: 2025-04-22T00:00:00.000Z

Link: CVE-2025-44560

Vulnrichment

Updated: 2026-04-14T14:06:44.919Z

NVD

Status : Deferred

Published: 2026-04-10T15:16:22.743

Modified: 2026-04-27T19:18:46.690

Link: CVE-2025-44560

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses

CWE-120

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object