CVE-2026-49127— Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be
Possible ATT&CK Techniques 2AI
T1203 · Exploitation for Client Execution T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| MusicPlayerDaemon | MPD | < 0.24.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-49127
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be
Source: NVD (National Vulnerability Database)
Vulnerability Description
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
Off-by-one错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
Music Player Daemon 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Music Player Daemon是Music Player Daemon开源的一款音乐播放守护进程。 Music Player Daemon 0.24.11之前版本存在安全漏洞,该漏洞源于src/pcm/Pack.cxx中的pcm_unpack_24be函数存在栈缓冲区溢出,可能导致未经身份验证的攻击者通过触发PCM解码器插件中的差一写入来破坏栈内存。攻击者可以发出两个引用恶意HTTP音频源的MPD命令,导致解包循环将1366个条目写入1365个条目的缓冲区,覆盖数组边界后的四个字节,其中三个字节来
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| MusicPlayerDaemon | MPD | 0 ~ 0.24.11 | - |
II. Public POCs for CVE-2026-49127
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-49127
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-49127 (1)
Vendor Advisories for CVE-2026-49127 (1)
News Coverage for CVE-2026-49127 (1)
Vendor Pages for CVE-2026-49127 (2)
- 🔗 Release v0.24.11 · MusicPlayerDaemon/MPD · GitHubrelease-notes
Same Patch Batch · MusicPlayerDaemon · 2026-05-28 · 4 CVEs total
| CVE-2026-49128 | 7.5 HIGH | Music Player Daemon < 0.24.11 Path Traversal via LocalStorage URI Handling |
| CVE-2026-49129 | 5.8 MEDIUM | Music Player Daemon < 0.24.11 SSRF via CurlInputPlugin |
| CVE-2026-49130 | 5.3 MEDIUM | Music Player Daemon < 0.24.11 CRLF Injection via XspfPlaylistPlugin.cxx |
IV. Related Vulnerabilities
V. Comments for CVE-2026-49127
No comments yet