CVE-2026-49127

Source
https://cve.org/CVERecord?id=CVE-2026-49127
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49127.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49127
Downstream
Published
2026-05-28T18:59:13.786Z
Modified
2026-07-08T08:13:39.543208882Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be
Details

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcmunpack24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49127.json",
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-193"
    ]
}
References

Affected packages

Git / github.com/musicplayerdaemon/mpd

Affected ranges

Type
GIT
Repo
https://github.com/musicplayerdaemon/mpd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.24.11"
        }
    ]
}

Affected versions

v0.*
v0.14
v0.14_alpha1
v0.14_alpha2
v0.14_alpha3
v0.14_beta1
v0.14_beta2
v0.14_beta3
v0.15
v0.15_alpha1
v0.15_beta1
v0.15_beta2
v0.16
v0.16_alpha1
v0.16_alpha2
v0.16_alpha3
v0.17
v0.18
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.19
v0.19.1
v0.20
v0.20.1
v0.20.2
v0.20.3
v0.21
v0.21.1
v0.21.2
v0.21.3
v0.21.4
v0.21.5
v0.22
v0.23
v0.23.1
v0.23.2
v0.23.3
v0.23.4
v0.23.5
v0.24
v0.24.1
v0.24.10
v0.24.2
v0.24.3
v0.24.4
v0.24.5
v0.24.6
v0.24.7
v0.24.8
v0.24.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49127.json"