CVE-2026-49127: MPD Stack Buffer Overflow in PCM Decoder (v0.24.11 Patch)
Music Player Daemon (MPD) versions before 0.24.11 contain a flaw in how they decode certain audio formats that allows an attacker to crash the service or potentially execute code. An attacker can send specially crafted commands pointing to a malicious audio file, causing the decoder to write more data than the buffer can hold. This overwrites adjacent memory with attacker-controlled data, destabilizing the daemon. No authentication is required—any network-accessible MPD instance is at risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
- Weaknesses (CWE)
- CWE-193
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
7 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49127 is a stack buffer overflow (CWE-193: Off-by-One Error) in the pcm_unpack_24be function within MPD's PCM decoder plugin. The vulnerability stems from an off-by-one condition in the unpack loop that attempts to write 1366 entries into a 1365-entry buffer. An attacker can trigger this by issuing two MPD commands that reference a malicious HTTP audio source. The overflow writes three attacker-controlled bytes from the HTTP response body four bytes past the array boundary, corrupting adjacent stack memory. Depending on what data overwrites the stack, this can lead to denial of service via daemon termination or potentially arbitrary code execution.
Business impact
Organizations running MPD as a network service face operational disruption risk. A successful exploit can crash the music playback service, affecting any systems or users depending on it. More critically, if code execution is achieved, attackers gain the privileges of the MPD process, potentially allowing lateral movement within networked audio infrastructure. The unauthenticated nature of the attack means no credentials or user interaction are needed—any MPD instance reachable over the network is exploitable.
Affected systems
Music Player Daemon (MPD) versions prior to 0.24.11 are vulnerable. Any deployment running an older version with network accessibility is at risk. This includes standalone audio servers, IoT devices running MPD, and containerized media services. Verify your MPD version and audit network exposure of any MPD instances in your environment.
Exploitability
The attack requires only network access to an MPD instance and no authentication. An attacker must craft and host a malicious audio file and issue two MPD commands pointing to it. The low complexity of the attack vector (CVSS AV:N/AC:L/PR:N/UI:N) and the straightforward nature of triggering the buffer overflow make this easily exploitable for a motivated attacker. The attacker controls the bytes written into the overflow, allowing some control over the outcome.
Remediation
Upgrade Music Player Daemon to version 0.24.11 or later. Verify the upgrade against the official MPD project advisory and release notes. After patching, validate that the service restarts cleanly and continues to function with existing configurations. For environments unable to patch immediately, restrict network access to MPD to trusted hosts only via firewall rules or network segmentation.
Patch guidance
Download and install MPD version 0.24.11 or newer from the official Music Player Daemon project repositories or your distribution's package manager. Follow standard deployment procedures for your environment: test the upgrade in a non-production instance first to ensure compatibility with existing configurations, then roll out to production systems during a scheduled maintenance window. Confirm the service starts without errors and that playback functionality remains intact post-patch.
Detection guidance
Monitor MPD logs for unusual playback commands or audio source requests, especially those referencing suspicious HTTP URLs. Network-based detection should focus on identifying connections to known malicious audio hosts or detection of multiple MPD commands in quick succession targeting external resources. Host-based monitoring should watch for unexpected MPD process crashes or restarts. Implement input validation logging in HTTP traffic to catch attempts to send oversized or malformed PCM data to MPD listeners.
Why prioritize this
A CVSS score of 8.6 (HIGH) reflects the combination of unauthenticated network accessibility, low attack complexity, and the potential for both denial of service and code execution. The absence of authentication requirements and the simplicity of crafting the exploit make this a priority for patching. Any internet-exposed or even intranet-accessible MPD instance should be treated as urgent.
Risk score, explained
The vulnerability scores HIGH (8.6) due to: (1) network-accessible attack surface with no authentication barrier (AV:N, PR:N); (2) low complexity to execute the attack (AC:L); (3) high impact on availability through denial of service (A:H); (4) moderate confidentiality and integrity impacts from potential code execution (C:L, I:L); and (5) unrestricted scope (S:U). The off-by-one error is relatively easy to trigger with minimal attacker effort, and the resulting memory corruption creates meaningful risk of both crash and code execution depending on stack layout and ASLR status.
Frequently asked questions
How can I determine my current MPD version?
Run 'mpd --version' from the command line on the system running MPD. This will display the installed version number. Compare it against the patched version 0.24.11 or later.
Can this vulnerability be exploited without network access?
No. The vulnerability requires network access to send commands to the MPD service. However, if MPD is listening on localhost only or behind a firewall, your exposure is reduced. Audit your MPD configuration to verify the bind address and firewall rules.
What is the difference between a crash and code execution in this context?
A crash (denial of service) occurs when the memory corruption destabilizes the process, causing MPD to terminate. Code execution is the more severe outcome in which the attacker's crafted bytes overwrite return addresses or other critical stack data, allowing them to redirect execution flow to attacker-controlled code. The actual outcome depends on memory layout, stack canaries, and other runtime protections.
Are there workarounds if I cannot patch immediately?
Yes. Restrict network access to MPD using firewall rules, limiting connections to trusted hosts only. Disable remote streaming or HTTP audio sources if they are not essential to your use case. These are temporary mitigations until patching is feasible.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and remediation planning. The information herein reflects publicly disclosed vulnerability data and is not a substitute for vendor advisories or official security guidance. Patch version numbers and timelines must be verified against official Music Player Daemon project releases and your organization's vendor contacts. No exploit code or proof-of-concept is provided. Security teams should conduct their own testing in controlled environments before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25391HIGHHaPe PKH 1.1 Authorization Bypass – Unauthorized Record Deletion Vulnerability