Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
5DescriptionCVE.org
A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.
AnalysisAI
A NULL pointer dereference vulnerability exists in the safe_atou64 function within owntone-server (src/misc.c) that allows remote attackers to cause a Denial of Service by sending crafted HTTP requests to the affected server. The vulnerability affects owntone-server through at least commit c4d57aa, and a public proof-of-concept exploit is available on GitHub, indicating active research and potential exploitation risk.
Technical ContextAI
The vulnerability is a NULL pointer dereference (CWE category) in a utility function responsible for safely converting string input to unsigned 64-bit integers. owntone-server is an open-source UPnP/DLNA media server written in C that parses HTTP requests to manage media streaming operations. The safe_atou64 function is a critical input validation routine in src/misc.c that handles user-supplied numeric parameters from HTTP requests. When this function fails to properly check for NULL pointer conditions before dereferencing memory, it can be triggered by specially crafted HTTP payloads, causing an immediate crash. The vulnerability is network-accessible via the HTTP interface exposed by the server.
RemediationAI
Update owntone-server to the version containing commit 41e3733 or later, which addresses the NULL pointer dereference in safe_atou64. If immediate patching is not possible, restrict network access to the owntone-server HTTP interface to trusted hosts only via firewall rules, and deploy a reverse proxy with rate limiting to mitigate the impact of DoS attempts. Monitor server logs for crashes related to HTTP request processing and implement automated restart mechanisms to maintain availability during exploit attempts. For detailed remediation guidance, consult the official security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md and the corresponding patch commit at https://github.com/owntone/owntone-server/commit/41e3733cccd527918a08cf05694c5493341bb70f.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14465
GHSA-q44m-jgch-xfvg