21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
An autonomous security agent uncovered 21 zero-day vulnerabilities<\/a> in FFmpeg, the world\u2019s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet.<\/p>\n FFmpeg quietly powers media processing across browsers, streaming platforms, surveillance systems, and cloud infrastructure, making it one of the most security-critical open-source libraries.<\/p>\n It\u2019s roughly 1.5 million lines of heavily optimized C code that parses hundreds of complex media formats, absorbing over two decades of fuzzing and manual audits.<\/p>\n Google\u2019s Big Sleep team previously disclosed 13 vulnerabilities in FFmpeg, and Anthropic\u2019s Mythos model<\/a> identified additional security issues shortly after.<\/p>\n Building on these milestones, security firm Depthfirst deployed a specialized autonomous agent to scan FFmpeg and found 21 previously unknown zero-days at a cost of approximately $1,000, roughly 10% of what Anthropic spent using Mythos.<\/p>\n Unlike general-purpose coding agents, Depthfirst\u2019s security agent performs serious threat modeling across large codebases.<\/p>\n It maps attacker-controlled input entry points, traces data flow through relevant components, and validates whether a vulnerable path is actually reachable.<\/p>\n The agent generates reproducible PoC inputs to confirm vulnerabilities and eliminate false positives, with the PoC code published on GitHub by Zhenpeng (Leo) Lin of Depthfirst.<\/a><\/p>\n The agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP depacketizers, RTSP server, RTMP client, and more. Eight have been assigned CVEs:<\/p>\n CVE-2026-39210<\/strong> \u2013 Heap Buffer Overflow in the TS demuxer (introduced in 2010).<\/p>\n CVE-2026-39211<\/strong> \u2013 Integer Overflow in swscale (introduced 2010).<\/p>\n CVE-2026-39212<\/strong> \u2013 Stack Overflow in ffmpeg_opt.c (regression from July 2025).<\/p>\n CVE-2026-39213<\/strong> \u2013 Heap Buffer Overflow in yuv4mpegenc (introduced 2023).<\/p>\n CVE-2026-39214<\/strong> \u2013 Stack Buffer Overflow in the SDT implementation (introduced in 2003, latent for 23 years).<\/p>\n CVE-2026-39215<\/strong> \u2013 Heap Buffer Overflow in update_mb_info() (introduced 2012).<\/p>\n CVE-2026-39216<\/strong> \u2013 Heap Buffer Overflow in img2enc.c (introduced 2012).<\/p>\n CVE-2026-39217<\/strong> \u2013 Heap Buffer Overflow in the VP9 decoder (regression from March 2025).<\/p>\n CVE-2026-39218<\/strong> \u2013 Heap Buffer Overflow in the DASH demuxer (introduced in 2017).<\/p>\n Additional unassigned findings include bugs in the RTP AV1 depacketizer (DFVULN-127), AVI demuxer, CAF demuxer, RTSP SDP parser, RTMP client, and AVIF overlay path, all of which have been dormant for over 15 years.<\/p>\n The most severe finding is a heap buffer overflow in FFmpeg\u2019s AV1 RTP depacketizer (libavformat\/rtpdec_av1.c), tracked as DFVULN-127.<\/p>\n The flaw lies in how the depacketizer handles Temporal Delimiter (TD) OBUs\u2019 special markers that separate video frames.<\/p>\n When a TD is encountered, the code advances the write cursor (pktpos) by the attacker-declared\u00a0obu_size\u00a0without allocating the corresponding memory or advancing the input pointer\u00a0buf_ptr.<\/p>\n This causes two compounding issues: the write cursor becomes poisoned, and the next iteration re-parses the TD\u2019s own bytes as a fresh OBU with attacker-controlled contents.<\/p>\n The corruption lands directly on an\u00a0AVBuffer\u00a0struct allocated immediately after the data buffer by FFmpeg\u2019s\u00a0posix_memalign-based allocator.<\/p>\n At offset +24 within that struct sits a\u00a0free\u00a0function pointer, the exact target of the Overflow.<\/p>\n When the packet is subsequently reallocated, FFmpeg decrements the buffer\u2019s reference count to zero and invokes the now-corrupted\u00a0free\u00a0pointer, handing the attacker full control of the instruction pointer.<\/p>\n A working PoC confirms that a single 183-byte RTP packet delivered over RTSP is sufficient to redirect execution, with no authentication, no user interaction, and no unusual flags required.<\/p>\n Any system running\u00a0ffmpeg -i rtsp:\/\/attacker\/stream\u00a0is exposed, including media ingest pipelines, CCTV and surveillance systems<\/a>, and cloud transcoding services processing remote AV1-over-RTP sources.<\/p>\n Administrators using FFmpeg in network-facing deployments should apply patches immediately and audit any pipeline that processes untrusted RTSP or RTP streams.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n21 0-Day Vulnerabilities in FFmpeg<\/strong><\/h2>\n