CVE-2026-49127 MusicPlayerDaemon CVE debrief

Who should care

Organizations running Music Player Daemon (MPD) for audio streaming services, particularly those exposing MPD control interfaces to untrusted networks. System administrators managing Linux/Unix audio servers. Security teams monitoring for buffer overflow vulnerabilities in media processing applications.

Technical summary

The vulnerability exists in the `pcm_unpack_24be` function in `src/pcm/Pack.cxx`. An off-by-one error causes a loop to write one entry beyond the allocated buffer size (1366 entries written to 1365-entry buffer). The overflow overwrites four bytes past the array boundary with three bytes of attacker-controlled data from a malicious HTTP audio stream. The attack requires two MPD commands to trigger the vulnerable code path. The corrupted stack memory can lead to denial of service through daemon termination or potentially arbitrary code execution.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Music Player Daemon to version 0.24.11 or later
• Restrict network access to MPD control ports to trusted hosts only
• Monitor for unexpected MPD daemon crashes or terminations
• Review MPD configuration to disable HTTP audio streaming if not required
• Apply principle of least privilege when running MPD service

Evidence notes

The vulnerability is classified as CWE-193 (Off-by-one Error). The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and no user interaction needed. The vulnerability affects confidentiality (low), integrity (low), and availability (high).

Official resources