Skip to main content

EUVDEUVD-2026-14465

| CVE-2026-26829 HIGH
NULL Pointer Dereference (CWE-476)
2026-03-23 mitre GHSA-q44m-jgch-xfvg
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 27, 2026 - 19:22 vuln.today
cvss_changed
PoC Detected
Mar 24, 2026 - 15:54 vuln.today
Public exploit code
EUVD ID Assigned
Mar 23, 2026 - 16:30 euvd
EUVD-2026-14465
Analysis Generated
Mar 23, 2026 - 16:30 vuln.today
CVE Published
Mar 23, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.

AnalysisAI

A NULL pointer dereference vulnerability exists in the safe_atou64 function within owntone-server (src/misc.c) that allows remote attackers to cause a Denial of Service by sending crafted HTTP requests to the affected server. The vulnerability affects owntone-server through at least commit c4d57aa, and a public proof-of-concept exploit is available on GitHub, indicating active research and potential exploitation risk.

Technical ContextAI

The vulnerability is a NULL pointer dereference (CWE category) in a utility function responsible for safely converting string input to unsigned 64-bit integers. owntone-server is an open-source UPnP/DLNA media server written in C that parses HTTP requests to manage media streaming operations. The safe_atou64 function is a critical input validation routine in src/misc.c that handles user-supplied numeric parameters from HTTP requests. When this function fails to properly check for NULL pointer conditions before dereferencing memory, it can be triggered by specially crafted HTTP payloads, causing an immediate crash. The vulnerability is network-accessible via the HTTP interface exposed by the server.

RemediationAI

Update owntone-server to the version containing commit 41e3733 or later, which addresses the NULL pointer dereference in safe_atou64. If immediate patching is not possible, restrict network access to the owntone-server HTTP interface to trusted hosts only via firewall rules, and deploy a reverse proxy with rate limiting to mitigate the impact of DoS attempts. Monitor server logs for crashes related to HTTP request processing and implement automated restart mechanisms to maintain availability during exploit attempts. For detailed remediation guidance, consult the official security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md and the corresponding patch commit at https://github.com/owntone/owntone-server/commit/41e3733cccd527918a08cf05694c5493341bb70f.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-14465 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy