CVE-2026-49127
Description
Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MPD before 0.24.11 has a stack buffer overflow in pcm_unpack_24be that lets an unauthenticated attacker corrupt memory and potentially execute code.
Vulnerability
Music Player Daemon (MPD) versions before 0.24.11 contain a stack buffer overflow in the pcm_unpack_24be function in src/pcm/Pack.cxx. An off-by-one error in the size calculation of a stack buffer (unpack_buffer) in src/decoder/plugins/PcmDecoderPlugin.cxx causes the buffer to be one element too small: when a 4096-byte FIFO buffer is full, the unpack loop writes 1366 entries into a buffer sized for 1365 (4096 / 3 = 1365, but 1366 are written). The overflow writes four bytes past the array boundary, with three bytes controlled by the HTTP response body [2].
Exploitation
An unauthenticated attacker with network access to the MPD command port (default 6600) can exploit this by sending two MPD commands that reference a malicious HTTP audio source serving a specially crafted audio/L24 stream. The attacker needs no prior authentication or special privileges. The HTTP response body fills the FIFO buffer, triggering the off-by-one loop that writes an extra int32_t (containing three attacker-controlled bytes from the HTTP body) past the end of unpack_buffer [2].
Impact
Successful exploitation corrupts adjacent stack memory. The attacker-controlled bytes overwrite four bytes beyond the buffer, which can cause daemon termination (denial of service) or potentially achieve arbitrary code execution depending on the exact stack layout and compiler optimizations [2]. The impact is high due to the possibility of remote code execution with the privileges of the MPD process.
Mitigation
The vulnerability is fixed in MPD version 0.24.11, released on 2026-05-15 [1][3]. The fix corrects the buffer size calculation by using DivideRoundUp(buffer.GetCapacity(), std::size_t{3}) instead of integer division [4]. Users should update to 0.24.11 or later. No workarounds are fully effective; restricting network access to the MPD port and disabling the PCM decoder plugin may reduce risk, but upgrading is the recommended action.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <0.24.11
Patches
159911028c020decoder/pcm: fix stack buffer overflow
2 files changed · +4 −1
NEWS+2 −0 modified@@ -2,6 +2,8 @@ ver 0.24.11 (not yet released) * protocol - fix path traversal bug * playlist: do not allow newlines in song URIs +* decoder + - pcm: fix stack buffer overflow ver 0.24.10 (2026/05/06) * input
src/decoder/plugins/PcmDecoderPlugin.cxx+2 −1 modified@@ -11,6 +11,7 @@ #include "util/ByteOrder.hxx" #include "util/Domain.hxx" #include "util/ByteReverse.hxx" +#include "util/DivideRoundUp.hxx" #include "util/StaticFifoBuffer.hxx" #include "util/CNumberParser.hxx" #include "util/MimeType.hxx" @@ -161,7 +162,7 @@ pcm_stream_decode(DecoderClient &client, InputStream &is) /* a buffer for pcm_unpack_24be() large enough to hold the results for a full source buffer */ - int32_t unpack_buffer[buffer.GetCapacity() / 3]; + int32_t unpack_buffer[DivideRoundUp(buffer.GetCapacity(), std::size_t{3})]; DecoderCommand cmd; do {
Vulnerability mechanics
Root cause
"Integer division rounding down in the stack buffer size calculation causes an off-by-one when unpacking a full FIFO buffer."
Attack vector
An unauthenticated attacker sends two MPD text commands (`add` and `play`) over TCP to port 6600, pointing the daemon at a malicious HTTP server that serves a body with Content-Type `audio/L24` [ref_id=1]. The HTTP body fills the 4096-byte FIFO buffer, and the PCM decoder plugin calls `pcm_unpack_24be` which reads 1366 triplets from the FIFO but writes into a 1365-element stack buffer [ref_id=1]. The resulting off-by-one write corrupts adjacent stack memory with three attacker-controlled bytes from the HTTP response body [ref_id=1].
Affected code
The bug spans two files. In `src/pcm/Pack.cxx`, the `pcm_unpack_24be` function (line 82) loops while `src < src_end`, reading three bytes per iteration via `ReadS24BE`. In `src/decoder/plugins/PcmDecoderPlugin.cxx`, the stack buffer `unpack_buffer` is declared as `int32_t unpack_buffer[buffer.GetCapacity() / 3]` (line 164), which yields 1365 entries when `buffer` has capacity 4096. The unpack loop writes 1366 entries when the FIFO is full, causing a 4-byte out-of-bounds write [ref_id=1].
What the fix does
The patch replaces the integer division `buffer.GetCapacity() / 3` with `DivideRoundUp(buffer.GetCapacity(), std::size_t{3})` in `src/decoder/plugins/PcmDecoderPlugin.cxx` [patch_id=2980739]. This ensures `unpack_buffer` has 1366 entries instead of 1365, matching the maximum number of 24-bit samples that can be unpacked from a full 4096-byte FIFO. The `DivideRoundUp` utility is included via a new `#include "util/DivideRoundUp.hxx"` header [patch_id=2980739].
Preconditions
- authNo authentication required; MPD accepts commands on default port 6600
- inputAttacker must control an HTTP server that returns audio/L24 content
- networkAttacker must be able to reach the MPD control port over the network
Reproduction
Build MPD with AddressSanitizer: `meson setup build_asan -Db_sanitize=address,undefined && meson compile -C build_asan`. Start a malicious HTTP server on 127.0.0.1:18001 that returns 16 KB of arbitrary bytes with Content-Type `audio/L24; rate=44100; channels=1`. From any unauthenticated TCP client, run: `printf 'add http://127.0.0.1:18001/foo.l24\nplay\nstatus\nclose\n' | nc -q 3 127.0.0.1 6600`. ASan will report a stack-buffer-overflow read at `ReadS24BE` followed by the out-of-bounds write [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/MusicPlayerDaemon/MPD/commit/59911028c020f84bc2e669da6a1ef88121301274nvd
- github.com/MusicPlayerDaemon/MPD/issues/2485nvd
- github.com/MusicPlayerDaemon/MPD/releases/tag/v0.24.11nvd
- mstreet97.github.io/security-research/opensource/vulnerability-disclosure/cybersecurity/cve/2026/05/25/Four_Bugs_Reachable_nc.htmlnvd
- raw.githubusercontent.com/MusicPlayerDaemon/MPD/v0.24.11/NEWSnvd
- www.musicpd.org/news/2026/05/mpd-0-24-11-released/nvd
- www.vulncheck.com/advisories/music-player-daemon-stack-buffer-overflow-via-pcm-unpack-24benvd
News mentions
0No linked articles in our index yet.