Cyber Resilience

CVE-2026-26828

High

Published: 23 March 2026

Published
23 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0006 18.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26828 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-26828 is a NULL pointer dereference vulnerability in the daap_reply_playlists function located in src/httpd_daap.c of owntone-server at commit 3d1652d. Published on 2026-03-23, it affects the owntone-server media server software and is classified under CWE-476 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The flaw enables attackers to trigger a Denial of Service (DoS) condition by sending a crafted DAAP request to the server.

Remote attackers require no authentication or privileges and can exploit this over the network with low complexity and no user interaction. Successful exploitation causes high-impact availability disruption, typically resulting in server crashes or denial of service without affecting confidentiality or integrity.

Mitigation details are outlined in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md, a patch commit at https://github.com/owntone/owntone-server/commit/9ac54f0b42491c4862791db4c5368ff80c4000d3, and the related issue tracker at https://github.com/owntone/owntone-server/issues/1961. Security practitioners should update to the patched version to address the vulnerability.

EU & UK References

Vulnerability details

A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in public-facing DAAP/HTTP service allows remote unauthenticated crafted request to crash the server process, directly enabling application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40413Shared CWE-476
CVE-2025-57155Shared CWE-476
CVE-2026-28390Shared CWE-476
CVE-2026-23952Shared CWE-476
CVE-2025-57156Shared CWE-476
CVE-2025-63647Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2024-55193Shared CWE-476
CVE-2025-63648Shared CWE-476
CVE-2026-25795Shared CWE-476

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the NULL pointer dereference by applying the vendor patch to owntone-server.

prevent

Error handling mitigates crashes from NULL pointer dereferences by ensuring graceful failure instead of denial of service.

prevent

Input validation on DAAP requests prevents crafted inputs from triggering the NULL pointer dereference in daap_reply_playlists.

References