[Pkg-mpd-maintainers] Bug#1138215: mpd: CVE-2026-49127 CVE-2026-49128 CVE-2026-49129 CVE-2026-49130
Salvatore Bonaccorso
carnil at debian.org
Fri May 29 15:41:05 BST 2026
Source: mpd
Version: 0.24.8-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerabilities were published for mpd.
CVE-2026-49127[0]:
| Music Player Daemon (MPD) before version 0.24.11 contains a stack
| buffer overflow vulnerability in the pcm_unpack_24be function in
| src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt
| stack memory by triggering an off-by-one write in the PCM decoder
| plugin. Attackers can issue two MPD commands referencing a malicious
| HTTP audio source to cause the unpack loop to write 1366 entries
| into a 1365-entry buffer, overwriting four bytes past the array
| boundary with three attacker-controlled bytes from an HTTP response
| body, resulting in daemon termination or potential code execution.
CVE-2026-49128[1]:
| Music Player Daemon (MPD) before version 0.24.11 contains a path
| traversal vulnerability in LocalStorage::MapFSOrThrow and
| LocalStorage::MapUTF8 within the local storage plugin, where the on-
| disk path is constructed by joining the storage root with a user-
| supplied URI as plain strings without canonicalization, allowing
| '..' segments to survive into the resolved path and be flattened by
| the kernel at openat() time. An unauthenticated attacker can exploit
| this flaw using the listfiles command to enumerate names, sizes, and
| modification times of arbitrary directories readable by the MPD
| process, and the albumart command to read image files in any
| attacker-chosen directory outside the configured music_directory.
CVE-2026-49129[2]:
| Music Player Daemon (MPD) before version 0.24.11 contains a server-
| side request forgery vulnerability in CurlInputPlugin where
| CURLOPT_FOLLOWLOCATION is set without CURLOPT_REDIR_PROTOCOLS_STR,
| allowing unauthenticated attackers to bypass the http/https scheme
| restriction by causing a malicious HTTP server to redirect to non-
| HTTP protocols such as gopher, ftp, sftp, ldap, dict, rtmp, or rtsp.
| Attackers can trigger this vulnerability via MPD commands that
| initiate URL fetches, including add, readcomments, albumart,
| readpicture, or load, to interact with internal or restricted
| network services on systems running libcurl versions prior to
| 7.85.0.
CVE-2026-49130[3]:
| Music Player Daemon (MPD) before version 0.24.11 contains a CRLF
| injection vulnerability in the xspf_char_data function within the
| XSPF playlist plugin that allows attackers to embed literal CR/LF
| bytes in URI fields by supplying a malicious XSPF playlist with XML
| numeric character references. Attackers can inject forged key-value
| lines through the location field into MPD protocol responses
| including playlistinfo, currentsong, and listplaylist outputs, as
| well as the state file writer, by exploiting Expat's decoding of
| numeric character references prior to the character data callback.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-49127
https://www.cve.org/CVERecord?id=CVE-2026-49127
[1] https://security-tracker.debian.org/tracker/CVE-2026-49128
https://www.cve.org/CVERecord?id=CVE-2026-49128
[2] https://security-tracker.debian.org/tracker/CVE-2026-49129
https://www.cve.org/CVERecord?id=CVE-2026-49129
[3] https://security-tracker.debian.org/tracker/CVE-2026-49130
https://www.cve.org/CVERecord?id=CVE-2026-49130
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-mpd-maintainers
mailing list