CVE-2026-26828
Published: 23 March 2026
Summary
CVE-2026-26828 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-11 (Error Handling).
Deeper analysis
CVE-2026-26828 is a NULL pointer dereference vulnerability in the daap_reply_playlists function located in src/httpd_daap.c of owntone-server at commit 3d1652d. Published on 2026-03-23, it affects the owntone-server media server software and is classified under CWE-476 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The flaw enables attackers to trigger a Denial of Service (DoS) condition by sending a crafted DAAP request to the server.
Remote attackers require no authentication or privileges and can exploit this over the network with low complexity and no user interaction. Successful exploitation causes high-impact availability disruption, typically resulting in server crashes or denial of service without affecting confidentiality or integrity.
Mitigation details are outlined in the Archer Security advisory at https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2026.md, a patch commit at https://github.com/owntone/owntone-server/commit/9ac54f0b42491c4862791db4c5368ff80c4000d3, and the related issue tracker at https://github.com/owntone/owntone-server/issues/1961. Security practitioners should update to the patched version to address the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14463
Vulnerability details
A NULL pointer dereference in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server commit 3d1652d allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in public-facing DAAP/HTTP service allows remote unauthenticated crafted request to crash the server process, directly enabling application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the NULL pointer dereference by applying the vendor patch to owntone-server.
Error handling mitigates crashes from NULL pointer dereferences by ensuring graceful failure instead of denial of service.
Input validation on DAAP requests prevents crafted inputs from triggering the NULL pointer dereference in daap_reply_playlists.