Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-26829 is a vulnerability in the owntone-server caused by a NULL pointer dereference in the safe_atou64 function located in src/misc.c. This occurs when the function is called with a NULL string pointer, which leads to a crash of the server.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerability arises when an attacker sends a series of specially crafted HTTP requests, including a malformed JSON payload in a PUT request to the "/api/outputs/set" endpoint. This malformed input causes the server to later call safe_atou64 with a NULL parameter during a GET request to "/api/outputs", triggering the NULL pointer dereference.'}, {'type': 'paragraph', 'content': 'The root cause is that safe_atou64 and related integer conversion functions did not previously check for NULL input pointers before calling standard library functions like strtoull, which do not handle NULL pointers safely.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an attacker to cause a Denial of Service (DoS) on the owntone-server. By sending crafted HTTP requests, the attacker can crash the server, making it unavailable to legitimate users.

The impact is limited to availability, as the CVSS score indicates no confidentiality or integrity loss, but a high impact on availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for crashes or Denial of Service (DoS) conditions in the owntone-server when it processes HTTP requests.'}, {'type': 'paragraph', 'content': 'Specifically, sending crafted HTTP requests similar to the following can help detect the vulnerability:'}, {'type': 'list_item', 'content': 'Send an HTTP PUT request to the endpoint "/api/outputs/set" with a JSON payload containing malformed data such as: {"outputs": [123, null, {"id": "456"}, [], "valid", true]}'}, {'type': 'list_item', 'content': 'Follow this with an HTTP GET request to "/api/outputs" to trigger the vulnerable function safe_atou64 with a NULL parameter.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test this might be:'}, {'type': 'list_item', 'content': 'curl -X PUT -H "Content-Type: application/json" -d \'{"outputs": [123, null, {"id": "456"}, [], "valid", true]}\' http://<server_address>/api/outputs/set'}, {'type': 'list_item', 'content': 'curl http://<server_address>/api/outputs'}, {'type': 'paragraph', 'content': 'If the server crashes or becomes unresponsive after these requests, it indicates the presence of the vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves updating the owntone-server to a version that includes the patch addressing this vulnerability.'}, {'type': 'paragraph', 'content': 'The patch adds null pointer checks in all safe integer conversion functions, including safe_atou64, preventing the NULL pointer dereference that causes the Denial of Service.'}, {'type': 'paragraph', 'content': 'If updating is not immediately possible, consider implementing network-level protections such as filtering or blocking suspicious HTTP requests that contain malformed JSON payloads targeting the "/api/outputs/set" endpoint.'}, {'type': 'paragraph', 'content': 'Additionally, monitor server logs for debug messages related to integer conversion failures and crashes to detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0