CVE-2026-49127
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be
CVSS Score
8.6
EPSS Score
0.1%
EPSS Percentile
20th
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
| CWE | CWE-193 |
| Vendor | musicplayerdaemon |
| Product | mpd |
| Published | May 28, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for musicplayerdaemon mpd
Be the first to know when new high vulnerabilities affecting musicplayerdaemon mpd are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
High
Affected Versions
MusicPlayerDaemon / MPD
0 < 0.24.11
References
mstreet97.github.io: https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html musicpd.org: https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ raw.githubusercontent.com: https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS github.com: https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 github.com: https://github.com/MusicPlayerDaemon/MPD/issues/2485 github.com: https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274 vulncheck.com: https://www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24be
Credits
Matteo Strada Daniele Berardinelli