Nixpkgs security tracker

Login with GitHub

Details of issue NIXPKGS-2026-1777

NIXPKGS-2026-1777
published 2 weeks, 2 days ago
Permalink CVE-2026-49127
8.8 HIGH
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): Low (L)
  • Vulnerable System Impact Integrity (VI): Low (L)
  • Vulnerable System Impact Availability (VA): High (H)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
  • Modified Vulnerable System Impact Integrity (MVI): Low (L)
  • Modified Vulnerable System Impact Availability (MVA): High (H)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 2 days ago
  • @LeSuisse ignored
    11 packages
    • ympd
    • mpdas
    • mympd
    • compdb
    • libmpd
    • mpdcron
    • mpdris2
    • mpd-sima
    • rofi-mpd
    • rtmpdump
    • mpd-mpris
    2 weeks, 2 days ago
  • @LeSuisse ignored reference https://w… 2 weeks, 2 days ago
  • @LeSuisse ignored
    35 packages
    • mpdecimal
    • termpdfpy
    • mopidy-mpd
    • mpdris2-rs
    • pam_tmpdir
    • mpdscribble
    • dash-mpd-cli
    • libmpdclient
    • mpd-discord-rpc
    • rtmpdump_gnutls
    • listenbrainz-mpd
    • mpd-notification
    • perlPackages.NetMPD
    • mpd-touch-screen-gui
    • perl5Packages.NetMPD
    • haskellPackages.libmpd
    • perl538Packages.NetMPD
    • perl540Packages.NetMPD
    • python312Packages.mpd2
    • python313Packages.mpd2
    • python314Packages.mpd2
    • writableTmpDirAsHomeHook
    • mopidyPackages.mopidy-mpd
    • perlPackages.FileUtilTempdir
    • perlPackages.TestTempDirTiny
    • perl5Packages.FileUtilTempdir
    • perl5Packages.TestTempDirTiny
    • perl538Packages.FileUtilTempdir
    • perl538Packages.TestTempDirTiny
    • perl540Packages.FileUtilTempdir
    • perl540Packages.TestTempDirTiny
    • haskellPackages.mpd-current-json
    • haskellPackages.compdata-fixplate
    • home-assistant-component-tests.mpd
    • chickenPackages_5.chickenEggs.mpd-client
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Music Player Daemon < 0.24.11 Stack Buffer Overflow via pcm_unpack_24be

Music Player Daemon (MPD) before version 0.24.11 contains a stack buffer overflow vulnerability in the pcm_unpack_24be function in src/pcm/Pack.cxx that allows unauthenticated attackers to corrupt stack memory by triggering an off-by-one write in the PCM decoder plugin. Attackers can issue two MPD commands referencing a malicious HTTP audio source to cause the unpack loop to write 1366 entries into a 1365-entry buffer, overwriting four bytes past the array boundary with three attacker-controlled bytes from an HTTP response body, resulting in daemon termination or potential code execution.

Affected products

MPD
  • <0.24.11

Matching in nixpkgs

pkgs.mpd

Flexible, powerful daemon for playing music

Ignored packages (46)

pkgs.ympd

Standalone MPD Web GUI written in C, utilizing Websockets and Bootstrap/JS

pkgs.mpdas

Music Player Daemon AudioScrobbler

pkgs.mympd

Standalone and mobile friendly web mpd client with a tiny footprint and advanced features

pkgs.compdb

Command line tool to manipulate compilation databases

pkgs.rofi-mpd

Rofi menu for interacting with MPD written in Python

pkgs.rtmpdump

Toolkit for RTMP streams

  • nixos-unstable 2.6
    • nixpkgs-unstable 2.6
    • nixos-unstable-small 2.6

pkgs.mpd-mpris

Implementation of the MPRIS protocol for MPD

pkgs.mpdecimal

Library for arbitrary precision decimal floating point arithmetic

pkgs.mopidy-mpd

Mopidy extension for controlling playback from MPD clients

pkgs.mpdris2-rs

Exposing MPRIS V2.2 D-Bus interface for MPD

pkgs.pam_tmpdir

PAM module for creating safe per-user temporary directories

  • nixos-unstable 0.09
    • nixpkgs-unstable 0.09
    • nixos-unstable-small 0.09

pkgs.mpdscribble

MPD client which submits info about tracks being played to a scrobbler

  • nixos-unstable 0.25
    • nixpkgs-unstable 0.25
    • nixos-unstable-small 0.25

pkgs.dash-mpd-cli

Download media content from a DASH-MPEG or DASH-WebM MPD manifest

pkgs.libmpdclient

Client library for MPD (music player daemon)

  • nixos-unstable 2.24
    • nixpkgs-unstable 2.24
    • nixos-unstable-small 2.24

pkgs.mpd-discord-rpc

Rust application which displays your currently playing song / album / artist from MPD in Discord using Rich Presence

Package maintainers