Skip to main content

CVE-2025-44560

| EUVDEUVD-2025-209405 CRITICAL
Classic Buffer Overflow (CWE-120)
2026-04-10 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 15:23 vuln.today
CVSS changed
Apr 14, 2026 - 15:22 NVD
9.8 (CRITICAL)
EUVD ID Assigned
Apr 10, 2026 - 15:15 euvd
EUVD-2025-209405
CVE Published
Apr 10, 2026 - 00:00 nvd
N/A

DescriptionCVE.org

owntone-server 2ca10d9 is vulnerable to Buffer Overflow due to lack of recursive checking.

AnalysisAI

Buffer overflow in owntone-server commit 2ca10d9 allows unauthenticated remote attackers to achieve code execution or denial of service with critical CVSS 9.8 severity. The vulnerability stems from inadequate recursive input validation (CWE-120), enabling network-accessible exploitation without user interaction. No public exploit identified at time of analysis, though proof-of-concept details exist in GitHub issue #1873. EPSS score of 0.02% (5th percentile) suggests low observed exploitation probability despite maximum theoretical severity.

Technical ContextAI

Owntone-server (formerly forked-daapd) is a media server supporting streaming protocols like DAAPD, AirPlay, and Chromecast. This buffer overflow (CWE-120) originates from insufficient bounds checking during recursive processing of user-controlled input, likely in parsing network protocol messages or media metadata. The specific commit 2ca10d9 introduced or exposed the vulnerability through logic that fails to validate data size or depth during recursive operations, allowing attackers to write beyond allocated buffer boundaries. Network attack vector (AV:N) with low complexity (AC:L) indicates the flaw exists in a remotely accessible service component without requiring special conditions or race timing. The unchanged scope (S:U) suggests exploitation occurs within the vulnerable component's security context, typically the media server process privileges.

RemediationAI

Update owntone-server to the latest stable release from the official GitHub repository at https://github.com/owntone/owntone-server, ensuring the installation includes fixes applied after commit 2ca10d9 that address recursive input validation. Monitor GitHub issue #1873 at https://github.com/owntone/owntone-server/issues/1873 for patch commit references and maintainer guidance on specific fixed versions. No vendor-released patch version number is independently confirmed from available data; users must track upstream repository commits for remediation. As interim mitigation, restrict network exposure by binding owntone-server only to trusted LAN interfaces, implementing firewall rules to block external access on service ports (typically TCP 3689 for DAAP), and deploying network segmentation to isolate media server traffic from untrusted networks. Consider disabling recursive protocol features if configuration options exist until patched builds are verified and deployed.

Share

CVE-2025-44560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy