CVE-2026-49127
Stack Buffer Overflow in Music Player Daemon
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| music_player_daemon | mpd | to 0.24.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-49127 is a stack buffer overflow vulnerability in the Music Player Daemon (MPD) before version 0.24.11. It occurs in the pcm_unpack_24be function within the PCM decoder plugin, where an off-by-one error causes the unpack loop to write 1366 entries into a buffer sized for 1365 entries. This results in overwriting four bytes past the buffer boundary with three attacker-controlled bytes from an HTTP response body.
An unauthenticated attacker can exploit this by sending two MPD commands referencing a malicious HTTP audio source, causing stack memory corruption that can lead to daemon termination or potentially arbitrary code execution.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including denial of service and potential arbitrary code execution. An attacker can remotely exploit the flaw without authentication by sending specially crafted commands, causing the MPD daemon to crash or allowing the attacker to execute malicious code on the affected system.
- Denial of Service (DoS) through daemon termination.
- Potential arbitrary code execution leading to full system compromise.
- Remote exploitation without requiring any authentication.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for abnormal termination or crashes of the Music Player Daemon (MPD) service, especially when it processes HTTP audio sources. Since the exploit involves sending specially crafted HTTP requests to the default MPD port (6600), network traffic analysis for unusual or malformed HTTP audio requests referencing audio/L24 content may indicate exploitation attempts.
A practical detection approach is to use network monitoring tools like tcpdump or Wireshark to capture traffic on port 6600 and look for suspicious HTTP audio requests.
Example commands to detect potential exploitation attempts include:
- tcpdump -i <interface> port 6600 -w mpd_traffic.pcap
- tshark -r mpd_traffic.pcap -Y 'http && http.content_type == "audio/L24"'
- grep or custom scripts to analyze MPD logs for crashes or unusual errors related to PCM decoding or buffer overflows.
Additionally, checking the MPD version installed on your system can help identify if it is vulnerable (versions before 0.24.11 are affected).
- mpd --version
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where the vulnerability has been fixed by properly adjusting the buffer size calculation in the PCM decoder plugin.
If upgrading immediately is not possible, consider restricting network access to the MPD service, especially blocking or filtering incoming traffic on the default port 6600 from untrusted sources to prevent exploitation attempts.
Monitoring MPD logs for crashes or abnormal behavior and restarting the service as needed can help maintain availability until the patch is applied.