Description
A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.
Published: 2026-03-23
Score: 7.5 High
EPSS: 1.2% Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Owntone-server contains a NULL pointer dereference bug in its safe_atou64 function. Attackers can exploit this flaw by sending crafted HTTP requests to the server, causing the process to crash and resulting in a denial of service. The vulnerability is a classic null pointer dereference (CWE‑476) that affects the availability of the media streaming service but does not provide code execution or privilege escalation. The impact is confined to service disruption for users depending on the server.

Affected Systems

The issue is confined to the HTTP interface of servers running owntone‑server that have not been updated to the fixed commit 41e3733. There is no publicly disclosed version range, but any instance prior to the patch is potentially vulnerable. The problem was identified in the source file src/misc.c and the fix is present in the commit referenced by the advisory. The advisory and patches are available in the owntone GitHub repository.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalogue. Exploitation requires only unauthenticated HTTP access to the vulnerable endpoint; no special privileges or credentials are necessary. An attacker can repeatedly send malicious requests to bring down the service. Although no public exploits are known, the nature of the flaw makes it a high risk to availability for any user running an unpatched owntone-server.

Generated by OpenCVE AI on March 23, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest owntone-server release or patch that includes commit 41e3733.
  • If unable to upgrade immediately, limit HTTP access to trusted IP addresses or implement firewall rules to block malicious traffic.
  • Validate that the service remains stable by sending test requests after applying the fix.
  • Continuously monitor server logs for crashes or abnormal terminations.

Generated by OpenCVE AI on March 23, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Null Pointer Dereference in Owntone-server HTTP Handler

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Owntone
Owntone owntone-server
Vendors & Products Owntone
Owntone owntone-server

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.
References

Subscriptions

Owntone Owntone-server
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-23T16:55:00.688Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26829

cve-icon Vulnrichment

Updated: 2026-03-23T16:54:58.034Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T17:16:48.047

Modified: 2026-03-24T15:54:09.400

Link: CVE-2026-26829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:10Z

Weaknesses