Skip to main content

OwnTone Server EUVDEUVD-2026-24587

| CVE-2026-41458 HIGH
Race Condition (CWE-362)
2026-04-22 VulnCheck GHSA-rvqf-8mp6-8qjg
8.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
HIGH
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 22, 2026 - 21:22 vuln.today
cvss_changed
Analysis Generated
Apr 22, 2026 - 03:23 vuln.today
CVSS changed
Apr 22, 2026 - 03:22 NVD
8.2 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 03:00 euvd
EUVD-2026-24587
Analysis Generated
Apr 22, 2026 - 03:00 vuln.today
Patch released
Apr 22, 2026 - 03:00 nvd
Patch available
CVE Published
Apr 22, 2026 - 01:46 nvd
HIGH 8.2

DescriptionCVE.org

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

AnalysisAI

Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. Vendor patch available via GitHub commit dca94641; no active exploitation confirmed at time of analysis.

Technical ContextAI

OwnTone Server (formerly forked-daapd) is a media server implementing the Digital Audio Access Protocol (DAAP) for streaming to iTunes-compatible clients. The vulnerability resides in the DAAP authentication handler's session management code, specifically CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The global DAAP session list lacks proper mutex locking or atomic operations when processing concurrent /login requests, creating a time-of-check to time-of-use (TOCTOU) race window. Multiple threads can simultaneously read/modify session state, leading to memory corruption, null pointer dereferences, or assertion failures that terminate the server process. Affected product confirmed via CPE cpe:2.3:a:owntone:owntone-server versions 28.4 through 29.0.

RemediationAI

Apply the vendor-released patch by upgrading to OwnTone Server version 29.1 or later, or manually apply commit dca94641a5ed66500822dd51281774794cdb6c22 from the upstream GitHub repository at https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22. The patch introduces proper mutex synchronization around DAAP session list operations to prevent race conditions. If immediate patching is not feasible, implement rate limiting on the /login endpoint at the reverse proxy or firewall layer to restrict concurrent connection attempts per source IP (recommend maximum 5 concurrent connections with 1-second cooldown), which increases attack complexity and reduces crash probability but may affect legitimate clients using connection pooling. Alternatively, restrict DAAP service access to trusted networks only via firewall rules, though this eliminates remote streaming functionality. Monitor server logs for abnormal login request patterns (hundreds of requests per second from single sources) as an early warning indicator.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-24587 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy