{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-26829", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-23T16:55:00.688Z", "dateReserved": "2026-02-16T00:00:00.000Z", "datePublished": "2026-03-23T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T16:16:42.544Z"}, "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/archersec/poc/tree/master/owntone-server-2"}, {"url": "https://github.com/owntone/owntone-server/commit/41e3733cccd527918a08cf05694c5493341bb70f"}, {"url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-476", "lang": "en", "description": "CWE-476 NULL Pointer Dereference"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T16:54:40.907313Z", "id": "CVE-2026-26829", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:55:00.688Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-26829", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T16:54:40.907313Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476 NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T16:54:58.034Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/archersec/poc/tree/master/owntone-server-2"}, {"url": "https://github.com/owntone/owntone-server/commit/41e3733cccd527918a08cf05694c5493341bb70f"}, {"url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-23T16:16:42.544Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26829", "state": "PUBLISHED", "dateUpdated": "2026-03-23T16:55:00.688Z", "dateReserved": "2026-02-16T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-23T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server."}, {"lang": "es", "value": "Una desreferencia de puntero NULL en la funci\u00f3n safe_atou64 (src/misc.c) de owntone-server hasta el commit c4d57aa permite a los atacantes causar una Denegaci\u00f3n de Servicio (DoS) mediante el env\u00edo de una serie de solicitudes HTTP manipuladas al servidor."}], "id": "CVE-2026-26829", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-23T17:16:48.047", "references": [{"source": "cve@mitre.org", "url": "https://github.com/archersec/poc/tree/master/owntone-server-2"}, {"source": "cve@mitre.org", "url": "https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md"}, {"source": "cve@mitre.org", "url": "https://github.com/owntone/owntone-server/commit/41e3733cccd527918a08cf05694c5493341bb70f"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "c4d57aa"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "owntone-server", "vendor": "owntone"}], "analysis": {"en": {"generated_at": "2026-03-23T18:22:31.175831+00:00", "value": {"mitigation_remediation": ["Apply the latest owntone-server release or patch that includes commit 41e3733.", "If unable to upgrade immediately, limit HTTP access to trusted IP addresses or implement firewall rules to block malicious traffic.", "Validate that the service remains stable by sending test requests after applying the fix.", "Continuously monitor server logs for crashes or abnormal terminations."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The issue is confined to the HTTP interface of servers running owntone\u2011server that have not been updated to the fixed commit 41e3733. There is no publicly disclosed version range, but any instance prior to the patch is potentially vulnerable. The problem was identified in the source file src/misc.c and the fix is present in the commit referenced by the advisory. The advisory and patches are available in the owntone GitHub repository.", "description_and_impact": "Owntone-server contains a NULL pointer dereference bug in its safe_atou64 function. Attackers can exploit this flaw by sending crafted HTTP requests to the server, causing the process to crash and resulting in a denial of service. The vulnerability is a classic null pointer dereference (CWE\u2011476) that affects the availability of the media streaming service but does not provide code execution or privilege escalation. The impact is confined to service disruption for users depending on the server.", "risk_and_exploitability": "The CVSS base score of 7.5 indicates a high severity, while the EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalogue. Exploitation requires only unauthenticated HTTP access to the vulnerable endpoint; no special privileges or credentials are necessary. An attacker can repeatedly send malicious requests to bring down the service. Although no public exploits are known, the nature of the flaw makes it a high risk to availability for any user running an unpatched owntone-server."}}}}, "created": "2026-03-24T10:35:02.210991+00:00", "title": "Denial of Service via Null Pointer Dereference in Owntone-server HTTP Handler", "updated": "2026-03-25T14:50:10.834238+00:00", "vendors": ["owntone", "owntone$PRODUCT$owntone-server"]}