CVE-2026-26828
Received Received - Intake
NULL Pointer Dereference in Owntone-Server Causes DoS

Publication date: 2026-03-23

Last updated on: 2026-03-23

Assigner: MITRE

Description
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-23
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26828
EUVD
EUVD-2026-14463
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
owntone owntone-server to 3d1652d (inc)
owntone owntone_server *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26828 is a vulnerability in the owntone-server software caused by a NULL pointer dereference in the function daap_reply_playlists located in src/httpd_daap.c. The issue arises when the server processes a specially crafted DAAP request containing a malformed meta parameter with consecutive commas (e.g., "abc,,def"). The parse_meta function incorrectly handles this input by failing to increment the count of metadata fields properly, resulting in NULL entries in the meta array. When daap_reply_playlists later accesses these NULL entries without checking, it causes a NULL pointer dereference, leading to a crash or undefined behavior.'}] [1, 2, 3]

Impact Analysis

This vulnerability allows an attacker to cause a Denial of Service (DoS) on the owntone-server by sending a crafted DAAP request with malformed meta parameters. The server may crash or become unresponsive due to the NULL pointer dereference, disrupting service availability.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted DAAP requests containing malformed meta parameters with consecutive commas, such as "abc,,def".'}, {'type': 'paragraph', 'content': 'A specific way to test or detect the vulnerability is to send an HTTP GET request to the owntone-server with a malformed meta query parameter that triggers the NULL pointer dereference.'}, {'type': 'paragraph', 'content': 'An example command to test this on the network or system is:'}, {'type': 'list_item', 'content': 'curl -v "http://<server_address>/databases/1/containers?meta=abc,,def"'}, {'type': 'paragraph', 'content': 'If the server crashes or becomes unresponsive after receiving such a request, it indicates the presence of the vulnerability.'}] [2, 3]

Mitigation Strategies

The immediate mitigation step is to upgrade the owntone-server software to a version that includes the fix for this vulnerability.

The vulnerability was fixed in commit 9ac54f0b42491c4862791db4c5368ff80c4000d3, which addresses the NULL pointer dereference by properly handling the parsing of the meta parameter.

If upgrading immediately is not possible, consider implementing network-level protections such as filtering or blocking DAAP requests with malformed meta parameters containing consecutive commas.

Monitoring and alerting on abnormal server crashes or DoS symptoms related to DAAP requests can also help in early detection and response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26828. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart