How is CVE-2026-49127 exploited?

Network reachability (required): The attacker must reach the MPD service over the network to issue the malicious commands that trigger the overflow. Authentication (not-required): No credentials are needed; the vulnerable code path is reachable by any unauthenticated client able to connect to the MPD service. Victim interaction (not-required): No user action is required; the attacker drives exploitation entirely through MPD protocol commands without any victim participation. Attack complexity (info): Exploitation is reliable and condition-free once the service is reachable, with no race conditions or special environmental state required.

What is the impact of CVE-2026-49127?

The MPD daemon process terminates, dropping all active playback sessions and making the audio service unavailable. An attacker controls three bytes written past the stack buffer boundary, which can corrupt the saved return address or adjacent stack frames, enabling potential remote code execution within the MPD process. Confidential data accessible to the MPD process, such as file paths, playlist contents, and low-sensitivity runtime state, may be read by an attacker who achieves code execution. Files and configuration writable by the MPD process user account may be modified if the attacker achieves code execution.

Back to search

HIGHCVE-2026-49127Published 2026-05-28Modified 2026-05-29CNA VulnCheck

CVE-2026-49127: Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

Q: What is CVE-2026-49127?

A stack buffer overflow in Music Player Daemon (MPD) before version 0.24.11 allows unauthenticated remote attackers to corrupt stack memory through the pcm_unpack_24be function in the PCM decoder. The flaw is reachable over the network with no authentication required, by issuing two MPD commands that reference a crafted HTTP audio source, triggering an off-by-one write of 1366 entries into a 1365-entry buffer. Successful exploitation results in daemon termination or potential remote code execution. A patched-image rebuild at version 0.24.11 is available on HarborGuard for affected environments.

Q: How is CVE-2026-49127 fixed?

A patched-image rebuild at MPD 0.24.11 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A stack buffer overflow in Music Player Daemon (MPD) before version 0.24.11 allows unauthenticated remote attackers to corrupt stack memory through the pcm_unpack_24be function in the PCM decoder. The flaw is reachable over the network with no authentication required, by issuing two MPD commands that reference a crafted HTTP audio source, triggering an off-by-one write of 1366 entries into a 1365-entry buffer. Successful exploitation results in daemon termination or potential remote code execution. A patched-image rebuild at version 0.24.11 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream advisory feeds, including custom-built images that bundle MPD. Both registry scans and CI/CD pipeline checks are capable of identifying images running any MPD version below 0.24.11.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 HIGH and weighting it against each customer environment's compliance policy to determine breach of threshold. Triage routing routes findings to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild at MPD 0.24.11 is available on HarborGuard for any environment where an affected version is detected. For customers with auto-remediation enabled, HarborGuard is capable of performing the rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the MPD service over the network to issue the malicious commands that trigger the overflow.
AuthenticationNot required
No credentials are needed; the vulnerable code path is reachable by any unauthenticated client able to connect to the MPD service.
Victim interactionNot required
No user action is required; the attacker drives exploitation entirely through MPD protocol commands without any victim participation.
Attack complexityDetail
Exploitation is reliable and condition-free once the service is reachable, with no race conditions or special environmental state required.

Blast Radius

The MPD daemon process terminates, dropping all active playback sessions and making the audio service unavailable.
An attacker controls three bytes written past the stack buffer boundary, which can corrupt the saved return address or adjacent stack frames, enabling potential remote code execution within the MPD process.
Confidential data accessible to the MPD process, such as file paths, playlist contents, and low-sensitivity runtime state, may be read by an attacker who achieves code execution.
Files and configuration writable by the MPD process user account may be modified if the attacker achieves code execution.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active in every ingest cycle, matching images containing MPD versions below 0.24.11 as soon as they appear in a customer registry or pipeline. Where compliance policy permits, a rebuilt image at MPD 0.24.11 is made available, and for customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a pull request against affected workloads. For high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Organizations that cannot immediately redeploy the patched image should consider restricting network access to MPD's control port to trusted hosts only and blocking the service from initiating outbound HTTP connections to untrusted sources, limiting the attacker's ability to supply the malicious audio stream needed to trigger the overflow.

See how HarborGuard automates this

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 0.24.11
Affected Products: 1

Fix available

0.24.11

Patch commits

Affected packages

MusicPlayerDaemon / MPD
< 0.24.11 (from 0)

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

References

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Metrics

Fix available