CVEFinder.io

CVE-2026-41458

🔶 medium
🔍 Scan for this CVE
Summary

OwnTone Server versions 28.4 through 29.0 contain a race condition vulnerability in the DAAP login handler that allows unauthenticated attackers to crash the server by exploiting unsynchronized access to the global DAAP session list. Attackers can flood the DAAP /login endpoint with concurrent requests to trigger a remote denial of service condition without requiring authentication.

CVSS Score
-
EPSS Score
0.4
Exploit Probability
Published Date
2026-04-22
First Seen: 2026-07-15
🎯 CISA SSVC Assessment Updated: Apr 22, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Younghyo Cho @ CIS Lab., Seoultech.
SSVC data provided by CISA
Last Modified 2026-07-14
Source NVD 🔗
CVSS Vector 4.0 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CWE IDs (Weakness Types)

📦 Affected Products 0

No affected products information available

🔗 References 3