Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.
AnalysisAI
Concurrent DAAP login requests crash OwnTone Server 28.4-29.0 via race condition in session list handling, causing remote denial of service without authentication. Attack complexity is high (CVSS AC:H) but requires no privileges, enabling unauthenticated attackers to flood the /login endpoint and trigger crashes through unsynchronized global state access. Vendor patch available via GitHub commit dca94641; no active exploitation confirmed at time of analysis.
Technical ContextAI
OwnTone Server (formerly forked-daapd) is a media server implementing the Digital Audio Access Protocol (DAAP) for streaming to iTunes-compatible clients. The vulnerability resides in the DAAP authentication handler's session management code, specifically CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization). The global DAAP session list lacks proper mutex locking or atomic operations when processing concurrent /login requests, creating a time-of-check to time-of-use (TOCTOU) race window. Multiple threads can simultaneously read/modify session state, leading to memory corruption, null pointer dereferences, or assertion failures that terminate the server process. Affected product confirmed via CPE cpe:2.3:a:owntone:owntone-server versions 28.4 through 29.0.
RemediationAI
Apply the vendor-released patch by upgrading to OwnTone Server version 29.1 or later, or manually apply commit dca94641a5ed66500822dd51281774794cdb6c22 from the upstream GitHub repository at https://github.com/owntone/owntone-server/commit/dca94641a5ed66500822dd51281774794cdb6c22. The patch introduces proper mutex synchronization around DAAP session list operations to prevent race conditions. If immediate patching is not feasible, implement rate limiting on the /login endpoint at the reverse proxy or firewall layer to restrict concurrent connection attempts per source IP (recommend maximum 5 concurrent connections with 1-second cooldown), which increases attack complexity and reduces crash probability but may affect legitimate clients using connection pooling. Alternatively, restrict DAAP service access to trusted networks only via firewall rules, though this eliminates remote streaming functionality. Monitor server logs for abnormal login request patterns (hundreds of requests per second from single sources) as an early warning indicator.
More in Owntone Server
View allNULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through co
A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attacker
OwnTone (aka owntone-server) through 28.1 has a use-after-free in net_bind() in misc.c. Rated critical severity (CVSS 9.
NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a
A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e
SQL injection in OwnTone Server 28.4 through 29.0 allows unauthenticated remote attackers to inject arbitrary SQL expres
Same weakness CWE-362 – Race Condition
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24587
GHSA-rvqf-8mp6-8qjg