SecBoard
Zurück zur CVE-Übersicht

CVE-2026-49127

HIGH(8.6)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Risk Signal Score22/100 — NIEDRIG
  • CVSS 8.6 — Hoch

EPSS-Score

1%

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

8.6

Technische Schwere

Beschreibung

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Referenzen