CVE-2026-26829
Published: 23 March 2026
Summary
CVE-2026-26829 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).
Deeper analysis
A NULL pointer dereference vulnerability exists in the safe_atou64 function within src/misc.c of owntone-server through commit c4d57aa. The flaw is reachable via network input and is tracked under CWE-476, carrying a CVSS 3.1 score of 7.5 that reflects high impact on availability with no requirements for authentication or user interaction.
An unauthenticated remote attacker can trigger the defect by sending a series of specially crafted HTTP requests to the server, resulting in a crash and denial of service. No privileges or local access are needed, making the issue exploitable over the network against any exposed owntone-server instance.
Public references include a proof-of-concept repository, a dedicated security advisory, and a subsequent commit that addresses the issue. The associated EPSS score has remained flat at a low value of 0.0140 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14465
Vulnerability details
A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in public-facing owntone-server enables remote exploitation of the application (T1190) to trigger crashes via crafted HTTP requests, directly mapping to application/system exploitation for endpoint DoS (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of the NULL pointer dereference flaw in owntone-server's safe_atou64 function via patching.
Implements protections against denial-of-service attacks from series of crafted HTTP requests causing server crashes.
Ensures secure error handling in safe_atou64 to prevent crashes from invalid input without compromising system functionality.