Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-49127 is a stack buffer overflow vulnerability in the Music Player Daemon (MPD) before version 0.24.11. It occurs in the pcm_unpack_24be function within the PCM decoder plugin, where an off-by-one error causes the unpack loop to write 1366 entries into a buffer sized for 1365 entries. This results in overwriting four bytes past the buffer boundary with three attacker-controlled bytes from an HTTP response body.

An unauthenticated attacker can exploit this by sending two MPD commands referencing a malicious HTTP audio source, causing stack memory corruption that can lead to daemon termination or potentially arbitrary code execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including denial of service and potential arbitrary code execution. An attacker can remotely exploit the flaw without authentication by sending specially crafted commands, causing the MPD daemon to crash or allowing the attacker to execute malicious code on the affected system.

• Denial of Service (DoS) through daemon termination.
• Potential arbitrary code execution leading to full system compromise.
• Remote exploitation without requiring any authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for abnormal termination or crashes of the Music Player Daemon (MPD) service, especially when it processes HTTP audio sources. Since the exploit involves sending specially crafted HTTP requests to the default MPD port (6600), network traffic analysis for unusual or malformed HTTP audio requests referencing audio/L24 content may indicate exploitation attempts.

A practical detection approach is to use network monitoring tools like tcpdump or Wireshark to capture traffic on port 6600 and look for suspicious HTTP audio requests.

Example commands to detect potential exploitation attempts include:

• tcpdump -i <interface> port 6600 -w mpd_traffic.pcap
• tshark -r mpd_traffic.pcap -Y 'http && http.content_type == "audio/L24"'
• grep or custom scripts to analyze MPD logs for crashes or unusual errors related to PCM decoding or buffer overflows.

Additionally, checking the MPD version installed on your system can help identify if it is vulnerable (versions before 0.24.11 are affected).

• mpd --version

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade Music Player Daemon (MPD) to version 0.24.11 or later, where the vulnerability has been fixed by properly adjusting the buffer size calculation in the PCM decoder plugin.

If upgrading immediately is not possible, consider restricting network access to the MPD service, especially blocking or filtering incoming traffic on the default port 6600 from untrusted sources to prevent exploitation attempts.

Monitoring MPD logs for crashes or abnormal behavior and restarting the service as needed can help maintain availability until the patch is applied.

Useful 0 Not Useful 0