Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
AnalysisAI
A NULL pointer dereference vulnerability exists in the daap_reply_playlists function within owntone-server's DAAP request handler (src/httpd_daap.c) that allows remote attackers to trigger a denial of service condition by sending a specially crafted DAAP protocol request. The vulnerability affects owntone-server at commit 3d1652d and potentially earlier versions. An attacker can remotely crash the server without authentication by exploiting improper input validation in the playlist reply handler, resulting in service unavailability.
Technical ContextAI
The vulnerability is rooted in improper NULL pointer handling within the Digital Audio Access Protocol (DAAP) implementation used by owntone-server, a media streaming application. DAAP is a network protocol designed for sharing digital media over IP networks. The specific flaw occurs in the daap_reply_playlists function (src/httpd_daap.c), which processes incoming DAAP requests to retrieve playlist data. The root cause is classified under NULL pointer dereference (CWE category), a memory safety issue where the application fails to validate that a pointer is non-NULL before dereferencing it. When a specially crafted DAAP request reaches this function without proper state initialization or malformed payload data, the code attempts to access memory through a NULL pointer, causing an immediate crash. This is a classic input validation weakness where the application does not sanitize or validate DAAP protocol messages before processing them.
RemediationAI
Immediately apply the patch from commit 9ac54f0b42491c4862791db4c5368ff80c4000d3 or upgrade to the next released version of owntone-server that includes this fix (consult the security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md for the exact version number and release date). If immediate patching is not possible, restrict network access to the DAAP service port (typically TCP 3689) using host-based or network firewall rules, limiting connections to only trusted internal networks or IP ranges that require playlist access. Disable the DAAP service entirely if it is not actively being used. Monitor owntone-server logs for crashes or unexpected terminations, as these may indicate active exploitation attempts.
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14463
GHSA-rfmm-m252-pwvm