Cyber Resilience

CVE-2026-26829

High

Published: 23 March 2026

Published
23 March 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0140 80.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26829 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-11 (Error Handling).

Deeper analysis

A NULL pointer dereference vulnerability exists in the safe_atou64 function within src/misc.c of owntone-server through commit c4d57aa. The flaw is reachable via network input and is tracked under CWE-476, carrying a CVSS 3.1 score of 7.5 that reflects high impact on availability with no requirements for authentication or user interaction.

An unauthenticated remote attacker can trigger the defect by sending a series of specially crafted HTTP requests to the server, resulting in a crash and denial of service. No privileges or local access are needed, making the issue exploitable over the network against any exposed owntone-server instance.

Public references include a proof-of-concept repository, a dedicated security advisory, and a subsequent commit that addresses the issue. The associated EPSS score has remained flat at a low value of 0.0140 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

A NULL pointer dereference in the safe_atou64 function (src/misc.c) of owntone-server through commit c4d57aa allows attackers to cause a Denial of Service (DoS) via sending a series of crafted HTTP requests to the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in public-facing owntone-server enables remote exploitation of the application (T1190) to trigger crashes via crafted HTTP requests, directly mapping to application/system exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32696Shared CWE-476
CVE-2024-24442Shared CWE-476
CVE-2026-23148Shared CWE-476
CVE-2026-33283Shared CWE-476
CVE-2025-63655Shared CWE-476
CVE-2025-14769Shared CWE-476
CVE-2026-27651Shared CWE-476
CVE-2026-42409Shared CWE-476
CVE-2026-29785Shared CWE-476
CVE-2026-0918Shared CWE-476

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of the NULL pointer dereference flaw in owntone-server's safe_atou64 function via patching.

prevent

Implements protections against denial-of-service attacks from series of crafted HTTP requests causing server crashes.

prevent

Ensures secure error handling in safe_atou64 to prevent crashes from invalid input without compromising system functionality.

References