CVE-2026-26828
NULL Pointer Dereference in Owntone-Server Causes DoS
Publication date: 2026-03-23
Last updated on: 2026-03-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | owntone-server | to 3d1652d (inc) |
| owntone | owntone_server | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26828 is a vulnerability in the owntone-server software caused by a NULL pointer dereference in the function daap_reply_playlists located in src/httpd_daap.c. The issue arises when the server processes a specially crafted DAAP request containing a malformed meta parameter with consecutive commas (e.g., "abc,,def"). The parse_meta function incorrectly handles this input by failing to increment the count of metadata fields properly, resulting in NULL entries in the meta array. When daap_reply_playlists later accesses these NULL entries without checking, it causes a NULL pointer dereference, leading to a crash or undefined behavior.'}] [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability allows an attacker to cause a Denial of Service (DoS) on the owntone-server by sending a crafted DAAP request with malformed meta parameters. The server may crash or become unresponsive due to the NULL pointer dereference, disrupting service availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted DAAP requests containing malformed meta parameters with consecutive commas, such as "abc,,def".'}, {'type': 'paragraph', 'content': 'A specific way to test or detect the vulnerability is to send an HTTP GET request to the owntone-server with a malformed meta query parameter that triggers the NULL pointer dereference.'}, {'type': 'paragraph', 'content': 'An example command to test this on the network or system is:'}, {'type': 'list_item', 'content': 'curl -v "http://<server_address>/databases/1/containers?meta=abc,,def"'}, {'type': 'paragraph', 'content': 'If the server crashes or becomes unresponsive after receiving such a request, it indicates the presence of the vulnerability.'}] [2, 3]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the owntone-server software to a version that includes the fix for this vulnerability.
The vulnerability was fixed in commit 9ac54f0b42491c4862791db4c5368ff80c4000d3, which addresses the NULL pointer dereference by properly handling the parsing of the meta parameter.
If upgrading immediately is not possible, consider implementing network-level protections such as filtering or blocking DAAP requests with malformed meta parameters containing consecutive commas.
Monitoring and alerting on abnormal server crashes or DoS symptoms related to DAAP requests can also help in early detection and response.