CVE-2026-49127 - Vulnerability Details

- Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

Description

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Music Player Daemon (MPD) versions prior to 0.24.11 contain a stack buffer overflow in the pcm_unpack_24be function within the PCM decoder plugin. An unauthenticated attacker can trigger the flaw by issuing two MPD commands that reference a malicious HTTP audio source. The unpack loop then writes 1366 entries into a 1365–entry buffer, overwriting four bytes past the boundary with attacker‑controlled bytes from an HTTP response. This off‑by‑one write can cause the daemon to terminate or, if the overflow is exploited, allow arbitrary code execution, potentially compromising system integrity and availability.

Affected Systems

The vulnerability affects the MusicPlayerDaemon:MPD product, impacting all releases before version 0.24.11. Users running any such prior version are at risk; no specific firmware or subscription tier mitigates the issue without updating.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can initiate exploitation remotely by sending crafted MPD commands over the audio protocol, without needing prior authentication. Because the flaw corrupts stack memory and can potentially lead to code execution, the risk to affected systems is significant, especially in environments where MPD listens on publicly reachable interfaces.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MusicPlayerDaemon

MPD

affected

Version	Status	Constraints
`0`	affected	< 0.24.11

No data.

Vendor Product Confidence Versions

Musicplayerdaemon

Mpd

100%

Version	Status	Scheme	Platform
`[0,0.24.11)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Music Player Daemon to version 0.24.11 or later to receive the fix for the pcm_unpack_24be buffer overflow.
Restrict access to the MPD daemon so that only trusted users or network segments can issue MPD commands, and enforce client authentication where feasible.
Disable or limit the use of HTTP audio source plugins that perform 24‑bit big‑endian unpacking, or validate and bound incoming audio payloads to prevent buffer overflows.

Generated by OpenCVE AI on May 28, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00063.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274
https://github.com/MusicPlayerDaemon/MPD/issues/2485
https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11
https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html
https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS
https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/
https://www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24be

History

Fri, 29 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 29 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Musicplayerdaemon Musicplayerdaemon mpd
Vendors & Products		Musicplayerdaemon Musicplayerdaemon mpd

Thu, 28 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
References		https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html

Thu, 28 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Description		Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
Title		Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be
Weaknesses		CWE-193
References		https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274 https://github.com/MusicPlayerDaemon/MPD/issues/2485 https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ https://www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24be
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H'}` cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Musicplayerdaemon Mpd

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-28T18:59:13.786Z

Updated: 2026-05-29T19:14:38.903Z

Reserved: 2026-05-27T17:40:12.738Z

Link: CVE-2026-49127

Vulnrichment

Updated: 2026-05-29T19:14:34.886Z

NVD

Status : Deferred

Published: 2026-05-28T20:16:26.387

Modified: 2026-05-29T14:07:47.980

Link: CVE-2026-49127

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T15:48:01Z

Weaknesses

CWE-193

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object