Skip to main content

CVE-2026-26828

| EUVDEUVD-2026-14463 HIGH
NULL Pointer Dereference (CWE-476)
2026-03-23 mitre GHSA-rfmm-m252-pwvm
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
EUVD ID Assigned
Mar 23, 2026 - 16:30 euvd
EUVD-2026-14463
Analysis Generated
Mar 23, 2026 - 16:30 vuln.today
CVE Published
Mar 23, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server

AnalysisAI

A NULL pointer dereference vulnerability exists in the daap_reply_playlists function within owntone-server's DAAP request handler (src/httpd_daap.c) that allows remote attackers to trigger a denial of service condition by sending a specially crafted DAAP protocol request. The vulnerability affects owntone-server at commit 3d1652d and potentially earlier versions. An attacker can remotely crash the server without authentication by exploiting improper input validation in the playlist reply handler, resulting in service unavailability.

Technical ContextAI

The vulnerability is rooted in improper NULL pointer handling within the Digital Audio Access Protocol (DAAP) implementation used by owntone-server, a media streaming application. DAAP is a network protocol designed for sharing digital media over IP networks. The specific flaw occurs in the daap_reply_playlists function (src/httpd_daap.c), which processes incoming DAAP requests to retrieve playlist data. The root cause is classified under NULL pointer dereference (CWE category), a memory safety issue where the application fails to validate that a pointer is non-NULL before dereferencing it. When a specially crafted DAAP request reaches this function without proper state initialization or malformed payload data, the code attempts to access memory through a NULL pointer, causing an immediate crash. This is a classic input validation weakness where the application does not sanitize or validate DAAP protocol messages before processing them.

RemediationAI

Immediately apply the patch from commit 9ac54f0b42491c4862791db4c5368ff80c4000d3 or upgrade to the next released version of owntone-server that includes this fix (consult the security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md for the exact version number and release date). If immediate patching is not possible, restrict network access to the DAAP service port (typically TCP 3689) using host-based or network firewall rules, limiting connections to only trusted internal networks or IP ranges that require playlist access. Disable the DAAP service entirely if it is not actively being used. Monitor owntone-server logs for crashes or unexpected terminations, as these may indicate active exploitation attempts.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-26828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy