Cyber Resilience

CVE-2026-41458

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 28.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-41458 is a high-severity Race Condition (CWE-362) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login…

more

endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Race condition in public DAAP login handler directly enables remote application crash via concurrent unauthenticated requests, matching Endpoint DoS by exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28986Shared CWE-362
CVE-2026-34856Shared CWE-362
CVE-2026-42594Shared CWE-362
CVE-2025-21701Shared CWE-362
CVE-2026-34851Shared CWE-362
CVE-2025-30444Shared CWE-362
CVE-2026-23440Shared CWE-362
CVE-2025-43244Shared CWE-362
CVE-2026-46727Shared CWE-362
CVE-2026-26201Shared CWE-362

Affected Assets

OwnTone Server
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

References