Home

Description

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

PUBLISHED Reserved 2026-05-27 | Published 2026-05-28 | Updated 2026-05-29 | Assigner VulnCheck




HIGH: 8.8CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Problem types

Off-by-one Error

Product status

Default status
affected

Any version before 0.24.11
affected

Credits

Matteo Strada finder

Daniele Berardinelli finder

References

mstreet97.github.io/...026/05/25/Four_Bugs_Reachable_nc.html technical-description exploit

www.musicpd.org/news/2026/05/mpd-0-24-11-released/ release-notes patch

raw.githubusercontent.com/...cPlayerDaemon/MPD/v0.24.11/NEWS release-notes

github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11 release-notes

github.com/MusicPlayerDaemon/MPD/issues/2485 issue-tracking

github.com/...ommit/59911028c020f84bc2e669da6a1ef88121301274 patch

www.vulncheck.com/...ack-buffer-overflow-via-pcm-unpack-24be third-party-advisory

cve.org (CVE-2026-49127)

nvd.nist.gov (CVE-2026-49127)

Download JSON