CVE-2026-49127

216.73.217.22

· Published 28/05/2026 20:16 · Modified 29/05/2026 14:07

Labels: CVE-2026-49127 2026-05-28 CVE-2026-49127 CWE-193 [email protected]

Essential information

Published: 28/05/2026 20:16
Modified: 29/05/2026 14:07
Author: —
Creator: —
CVSS: 8.8 HIGH (v3) 8.8 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
music player daemon / mpd	`cpe:2.3:a:music_player_daemon:mpd:<0.24.11:::::::*`