{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26828", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T16:57:05.556Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T16:15:27.738Z"}, "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server"}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/owntone/owntone-server/issues/1961"}, {"url": "https://github.com/owntone/owntone-server/commit/9ac54f0b42491c4862791db4c5368ff80c4000d3"}, {"url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "CWE-476 NULL Pointer Dereference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:57:02.534499Z", "id": "CVE-2026-26828", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:57:05.556Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26828", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:57:02.534499Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:56:55.122Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/owntone/owntone-server/issues/1961"}, {"url": "https://github.com/owntone/owntone-server/commit/9ac54f0b42491c4862791db4c5368ff80c4000d3"}, {"url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T16:15:27.738Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26828", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:57:05.556Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server"}, {"lang": "es", "value": "Una desreferencia de puntero NULL en la funci\u00f3n daap_reply_playlists (src/httpd_daap.c) de owntone-server commit 3d1652d permite a los atacantes causar una Denegaci\u00f3n de Servicio (DoS) mediante el env\u00edo de una solicitud DAAP manipulada al servidor."}], "id": "CVE-2026-26828", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T17:16:47.863", "references": [{"source": "cve@mitre.org", "url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}, {"source": "cve@mitre.org", "url": "https://github.com/owntone/owntone-server/commit/9ac54f0b42491c4862791db4c5368ff80c4000d3"}, {"source": "cve@mitre.org", "url": "https://github.com/owntone/owntone-server/issues/1961"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "3d1652d"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "owntone-server", "vendor": "owntone"}], "analysis": {"en": {"generated_at": "2026-03-23T18:51:14.962065+00:00", "value": {"mitigation_remediation": ["Upgrade owntone-server to a release that contains the patch commit 9ac54f0 or later, which resolves the NULL pointer dereference."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The owntone\u2011server application is affected. No explicit vendor or product name is listed in the CNA data; however, the vulnerability is tied to a specific code commit (3d1652d). All releases prior to the fix commit (9ac54f0) are potentially vulnerable. Users should verify whether their installed version contains the vulnerable commit and upgrade accordingly.", "description_and_impact": "A NULL pointer dereference occurs in the daap_reply_playlists function of owntone-server, which can be triggered by sending a specially crafted DAAP request. The flaw causes the application to crash, resulting in a denial of service that can render the server unavailable to legitimate users. The vulnerability is identified as CWE\u2011476, a classic null pointer dereference flaw that directly impacts the runtime integrity of the server process.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity risk. While the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the flaw remains easy to exploit because the attack vector is via a standard DAAP request over the network. The attacker only needs to send a crafted request to reach the owntone-server instance. Because the weakness is a null pointer dereference, exploitation requires no special skills beyond crafting the request, resulting in an immediate server crash. This high severity DoS risk makes the vulnerability a top priority for any publicly exposed owntone-server deployment."}}}}, "created": "2026-03-24T10:35:03.140302+00:00", "title": "Null Pointer Dereference in owntone-server Leads to DoS via Crafted DAAP Request", "updated": "2026-03-25T14:50:11.879408+00:00", "vendors": ["owntone", "owntone$PRODUCT$owntone-server"]}