Denial of Service Vulnerability in Owntone Server Affected by NULL Pointer Dereference
CVE-2025-57156

7.5HIGH

Key Information:

Vendor: Owntone
Status: Owntone Server
Vendor: CVE Published:; 20 January 2026

What is CVE-2025-57156?

A vulnerability exists within the Owntone Server due to a NULL pointer dereference in the dacp_reply_playqueueedit_clear function. This flaw enables remote attackers to exploit the server, potentially leading to a Denial of Service condition, resulting in an unexpected crash. The issue surfaced in the server's source code modifications after version 28.12, underscoring the importance of ongoing updates and security measures to mitigate such risks.

References

https://github.com/owntone/owntone-server/issues/1907

https://github.com/owntone/owntone-server/commit/5e4d40ee...

https://github.com/archersec/security-advisories/blob/mas...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Aug 17, 2025

CVE-2025-57156 Data

JSON