Description
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
Published: 2026-03-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

A NULL pointer dereference occurs in the daap_reply_playlists function of owntone-server, which can be triggered by sending a specially crafted DAAP request. The flaw causes the application to crash, resulting in a denial of service that can render the server unavailable to legitimate users. The vulnerability is identified as CWE‑476, a classic null pointer dereference flaw that directly impacts the runtime integrity of the server process.

Affected Systems

The owntone‑server application is affected. No explicit vendor or product name is listed in the CNA data; however, the vulnerability is tied to a specific code commit (3d1652d). All releases prior to the fix commit (9ac54f0) are potentially vulnerable. Users should verify whether their installed version contains the vulnerable commit and upgrade accordingly.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. While the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the flaw remains easy to exploit because the attack vector is via a standard DAAP request over the network. The attacker only needs to send a crafted request to reach the owntone-server instance. Because the weakness is a null pointer dereference, exploitation requires no special skills beyond crafting the request, resulting in an immediate server crash. This high severity DoS risk makes the vulnerability a top priority for any publicly exposed owntone-server deployment.

Generated by OpenCVE AI on March 23, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade owntone-server to a release that contains the patch commit 9ac54f0 or later, which resolves the NULL pointer dereference.

Generated by OpenCVE AI on March 23, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in owntone-server Leads to DoS via Crafted DAAP Request

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Owntone
Owntone owntone-server
Vendors & Products Owntone
Owntone owntone-server

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
References

Subscriptions

Owntone Owntone-server
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T16:57:05.556Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26828

cve-icon Vulnrichment

Updated: 2026-03-23T16:56:55.122Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T17:16:47.863

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-26828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:11Z

Weaknesses