Skip to main content

Music Player Daemon EUVDEUVD-2026-33000

| CVE-2026-49127 HIGH
Off-by-one Error (CWE-193)
2026-05-28 VulnCheck GHSA-p9r5-qpp4-rjg3
8.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
May 28, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 28, 2026 - 20:22 NVD
8.6 (HIGH) 8.8 (HIGH)
Source Code Evidence Fetched
May 28, 2026 - 20:21 vuln.today
Analysis Generated
May 28, 2026 - 20:21 vuln.today

DescriptionCVE.org

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

AnalysisAI

Stack buffer overflow in Music Player Daemon (MPD) versions prior to 0.24.11 allows remote unauthenticated attackers to crash the daemon or potentially execute code by serving a malicious HTTP audio stream processed by the PCM decoder plugin. The flaw stems from an off-by-one miscalculation in pcm_unpack_24be (src/pcm/Pack.cxx) that writes four bytes (three attacker-controlled) past a 1365-entry int32_t stack array. No public exploit identified at time of analysis, but the upstream fix is confirmed via commit 5991102 and release 0.24.11.

Technical ContextAI

MPD is a server-side music streaming daemon (cpe:2.3:a:musicplayerdaemon:mpd) written in C++ that decodes audio from local and remote sources. The vulnerability is a classic CWE-193 (Off-by-One Error) in the 24-bit big-endian PCM unpack routine: the stack buffer is sized as buffer.GetCapacity() / 3, which truncates rather than rounding up, so when the input buffer's capacity is not a multiple of 3, the unpack loop writes one extra int32_t (4 bytes) beyond the array. The upstream patch replaces the integer division with DivideRoundUp(buffer.GetCapacity(), 3), correctly sizing the stack allocation. Because the overflowed bytes originate from the HTTP response body of a remote audio source, an attacker controls three of the four spilled bytes, giving partial control over adjacent stack data such as saved registers or return addresses depending on compiler layout and stack canaries.

RemediationAI

Vendor-released patch: upgrade to MPD 0.24.11 or later, which incorporates commit 59911028c020f84bc2e669da6a1ef88121301274 replacing the truncating division with DivideRoundUp() in src/decoder/plugins/PcmDecoderPlugin.cxx; release details are at https://www.musicpd.org/news/2026/05/mpd-0-24-11-released/ and https://github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11. Distributions that cannot immediately ship 0.24.11 can backport the one-line patch from the linked commit. As compensating controls until patching, disable the curl/HTTP input plugin in mpd.conf (input { plugin "curl" enabled "no" }) to block remote audio fetches at the cost of losing internet-radio and HTTP playlist support, restrict the MPD control socket and bind_to_address to localhost or a trusted management VLAN so untrusted clients cannot issue the two commands needed to trigger the decode, and run mpd under systemd hardening (NoNewPrivileges, ProtectSystem=strict, MemoryDenyWriteExecute) to limit the blast radius of a successful overflow.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-33000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy