{"id":"CVE-2026-49127","summary":"Music Player Daemon \u003c 0.24.11 Stack Buffer Overflow via pcm_unpack_24be","details":"Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.","modified":"2026-07-08T08:13:39.543208882Z","published":"2026-05-28T18:59:13.786Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49127.json","cwe_ids":["CWE-193"],"cna_assigner":"VulnCheck"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49127.json"},{"type":"ADVISORY","url":"https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49127"},{"type":"ADVISORY","url":"https://raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWS"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24be"},{"type":"REPORT","url":"https://github.com/MusicPlayerDaemon/MPD/issues/2485"},{"type":"FIX","url":"https://github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274"},{"type":"FIX","url":"https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/"},{"type":"PACKAGE","url":"https://github.com/MusicPlayerDaemon/MPD"},{"type":"EVIDENCE","url":"https://mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/musicplayerdaemon/mpd","events":[{"introduced":"0"},{"fixed":"0fd151f7469b4658b18b39b5c886dd8246149abc"},{"fixed":"59911028c020f84bc2e669da6a1ef88121301274"}],"database_specific":{"source":["DESCRIPTION","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"0.24.11"}]}}],"versions":["v0.24.10","v0.24.9","v0.24.8","v0.24.7","v0.24.6","v0.24.5","v0.24.4","v0.24.3","v0.24.2","v0.24.1","v0.24","v0.23.5","v0.23.4","v0.23.3","v0.23.2","v0.23.1","v0.23","v0.22","v0.21.5","v0.21.4","v0.21.3","v0.21.2","v0.21.1","v0.21","v0.20.3","v0.20.2","v0.20.1","v0.20","v0.19.1","v0.19","v0.18.4","v0.18.3","v0.18.2","v0.18.1","v0.18","v0.17","v0.16","v0.16_alpha3","v0.16_alpha2","v0.16_alpha1","v0.15","v0.15_beta2","v0.15_beta1","v0.15_alpha1","v0.14","v0.14_beta3","v0.14_beta2","v0.14_beta1","v0.14_alpha3","v0.14_alpha2","v0.14_alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49127.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N"}]}