CVE-2026-41458
Race Condition in OwnTone DAAP Login Causes Remote DoS
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owntone | server | From 28.4 (inc) to 29.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41458 is a race condition vulnerability in OwnTone Server versions 28.4 through 29.0, specifically in the DAAP (Digital Audio Access Protocol) login handler. The issue arises because multiple concurrent login requests access the global DAAP session list without proper synchronization, leading to unsynchronized modifications.
This lack of synchronization allows unauthenticated attackers to flood the DAAP /login endpoint with concurrent requests, causing the server to crash due to concurrent access conflicts in session management.
The vulnerability is caused by missing mutex protection around the session list, which was fixed by introducing a mutex to serialize access, refactoring session list operations to use locking, and modifying login, logout, and session validation to safely handle sessions under this lock.
How can this vulnerability impact me? :
This vulnerability can be exploited by unauthenticated attackers to cause a remote denial of service (DoS) condition on the OwnTone Server by crashing it.
By sending many concurrent requests to the DAAP /login endpoint, an attacker can trigger the race condition and crash the server, making the service unavailable to legitimate users.
This impacts the availability of the server and any services relying on it, potentially disrupting operations or user access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive concurrent requests to the DAAP /login endpoint of the OwnTone Server, which may indicate an attempt to exploit the race condition causing a denial of service.
Specifically, detection can involve observing a flood of concurrent unauthenticated requests targeting the /login endpoint, which could lead to server crashes or instability.
While no explicit commands are provided in the resources, network administrators can use tools like tcpdump or Wireshark to capture and analyze traffic to the DAAP /login endpoint, for example:
- tcpdump -i <interface> 'tcp port <DAAP_port> and tcp[32:4] contains "/login"'
- Use server logs to identify repeated or concurrent login requests from the same or multiple IP addresses.
Additionally, stress testing or proof-of-concept tests that flood the /login endpoint with concurrent requests can confirm the presence of the vulnerability if the server crashes or becomes unresponsive.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the OwnTone Server to version 29.1 or later, where the vulnerability has been fixed by introducing proper synchronization mechanisms (mutex locking) to protect the DAAP session list from concurrent access.
If upgrading immediately is not possible, consider implementing network-level protections such as rate limiting or firewall rules to restrict the number of concurrent unauthenticated requests to the DAAP /login endpoint to prevent flooding.
Monitoring and alerting on unusual spikes in /login requests can also help in early detection and response to exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.