CVE-2026-49127

Name of the Vulnerable Software and Affected Versions Music Player Daemon (MPD) versions prior to 0.24.11

Description A stack buffer overflow exists in the pcm unpack 24be() function within src/pcm/Pack.cxx. This issue allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. By issuing two MPD commands that reference a malicious HTTP audio source, an attacker can cause the unpack loop to write 1366 entries into a 1365-entry buffer. This process overwrites four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, which can lead to daemon termination or potential code execution.

Recommendations Update to version 0.24.11 or later.