Volerion logoVolerion
Volerion logoVolerion

Owntone Server NULL Pointer Dereference Vulnerability in DAAP Request Handling Allowing Denial-of-Service

Vulnerability

A NULL pointer dereference vulnerability has been identified in the Owntone Server application, specifically in the parse_meta function within the src/httpd_daap.c file. This vulnerability is present in versions of Owntone Server through commit 334beb1 in the master branch. The issue allows remote attackers to cause a denial-of-service condition by sending a crafted DAAP request to the server. The vulnerability arises when the server processes a DAAP request with an empty 'meta' parameter, leading to a NULL pointer dereference.

Impact

Exploitation of this vulnerability leads to a crash of the Owntone Server, causing a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a DAAP request to the Owntone Server with an empty 'meta' parameter. This can be done using a tool that allows for the manipulation of HTTP headers and parameters, such as curl or a similar HTTP client.

Remediation

Users can update to the latest version of Owntone Server, where this vulnerability has been fixed.

Added: Jan 20, 2026, 9:25 PM
Updated: Jan 20, 2026, 9:25 PM

Vulnerability Rating

Custom Algorithm
spread
1.4
impact
2.5
exploitability
9.1
remediation
7.7
relevance
2.2
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.