OwnTone Server DAAP Request NULL Pointer Dereference Denial-of-Service (CVE-2026-26828)
A NULL pointer dereference vulnerability in the daap_reply_playlists function of owntone-server allows attackers to cause a Denial of Service (DoS) by sending a crafted DAAP request.
CVE-2026-26828 describes a NULL pointer dereference vulnerability in the daap_reply_playlists function (src/httpd_daap.c) of owntone-server. The vulnerability resides in commit 3d1652d of the owntone-server project. Attackers can exploit this vulnerability by sending a crafted Digital Audio Access Protocol (DAAP) request to the server, leading to a denial-of-service (DoS) condition. This vulnerability allows unauthenticated remote attackers to disrupt the availability of the owntone-server…
Detection coverage 2
Detect Suspicious DAAP Requests
mediumDetects suspicious DAAP requests based on HTTP request characteristics.
Detect Multiple Failed HTTP Requests to owntone server
lowDetects multiple failed HTTP requests to owntone server, potentially indicating a denial-of-service attempt.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
1