CVE-2026-49127
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
28/05/2026
Last modified:
29/05/2026
Description
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
Impact
Base Score 4.0
8.80
Severity 4.0
HIGH
Base Score 3.x
8.60
Severity 3.x
HIGH
References to Advisories, Solutions, and Tools
- https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274
- https://github.com/MusicPlayerDaemon/MPD/issues/2485
- https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
- https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
- https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
- https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
- https://www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24be



