CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks

Cybersecurity News Archived Jun 09, 2026 ✓ Full text saved

An autonomous security agent uncovered 21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. FFmpeg quietly powers media processing across browsers, streaming platforms, surveillance systems, and cloud infrastructure, making it one of the most security-critical open-source libraries. […] The post 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News 21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks By Abinaya June 9, 2026 An autonomous security agent uncovered 21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet. FFmpeg quietly powers media processing across browsers, streaming platforms, surveillance systems, and cloud infrastructure, making it one of the most security-critical open-source libraries. It’s roughly 1.5 million lines of heavily optimized C code that parses hundreds of complex media formats, absorbing over two decades of fuzzing and manual audits. Google’s Big Sleep team previously disclosed 13 vulnerabilities in FFmpeg, and Anthropic’s Mythos model identified additional security issues shortly after. Building on these milestones, security firm Depthfirst deployed a specialized autonomous agent to scan FFmpeg and found 21 previously unknown zero-days at a cost of approximately $1,000, roughly 10% of what Anthropic spent using Mythos. 21 0-Day Vulnerabilities in FFmpeg Unlike general-purpose coding agents, Depthfirst’s security agent performs serious threat modeling across large codebases. It maps attacker-controlled input entry points, traces data flow through relevant components, and validates whether a vulnerable path is actually reachable. The agent generates reproducible PoC inputs to confirm vulnerabilities and eliminate false positives, with the PoC code published on GitHub by Zhenpeng (Leo) Lin of Depthfirst. The agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP depacketizers, RTSP server, RTMP client, and more. Eight have been assigned CVEs: CVE-2026-39210 – Heap Buffer Overflow in the TS demuxer (introduced in 2010). CVE-2026-39211 – Integer Overflow in swscale (introduced 2010). CVE-2026-39212 – Stack Overflow in ffmpeg_opt.c (regression from July 2025). CVE-2026-39213 – Heap Buffer Overflow in yuv4mpegenc (introduced 2023). CVE-2026-39214 – Stack Buffer Overflow in the SDT implementation (introduced in 2003, latent for 23 years). CVE-2026-39215 – Heap Buffer Overflow in update_mb_info() (introduced 2012). CVE-2026-39216 – Heap Buffer Overflow in img2enc.c (introduced 2012). CVE-2026-39217 – Heap Buffer Overflow in the VP9 decoder (regression from March 2025). CVE-2026-39218 – Heap Buffer Overflow in the DASH demuxer (introduced in 2017). Additional unassigned findings include bugs in the RTP AV1 depacketizer (DFVULN-127), AVI demuxer, CAF demuxer, RTSP SDP parser, RTMP client, and AVIF overlay path, all of which have been dormant for over 15 years. The most severe finding is a heap buffer overflow in FFmpeg’s AV1 RTP depacketizer (libavformat/rtpdec_av1.c), tracked as DFVULN-127. The flaw lies in how the depacketizer handles Temporal Delimiter (TD) OBUs’ special markers that separate video frames. When a TD is encountered, the code advances the write cursor (pktpos) by the attacker-declared obu_size without allocating the corresponding memory or advancing the input pointer buf_ptr. This causes two compounding issues: the write cursor becomes poisoned, and the next iteration re-parses the TD’s own bytes as a fresh OBU with attacker-controlled contents. The corruption lands directly on an AVBuffer struct allocated immediately after the data buffer by FFmpeg’s posix_memalign-based allocator. At offset +24 within that struct sits a free function pointer, the exact target of the Overflow. When the packet is subsequently reallocated, FFmpeg decrements the buffer’s reference count to zero and invokes the now-corrupted free pointer, handing the attacker full control of the instruction pointer. A working PoC confirms that a single 183-byte RTP packet delivered over RTSP is sufficient to redirect execution, with no authentication, no user interaction, and no unusual flags required. Any system running ffmpeg -i rtsp://attacker/stream is exposed, including media ingest pipelines, CCTV and surveillance systems, and cloud transcoding services processing remote AV1-over-RTP sources. Administrators using FFmpeg in network-facing deployments should apply patches immediately and audit any pipeline that processes untrusted RTSP or RTP streams. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers Nimbus Manticore APT Abuses Fake Recruitment Portal to Deliver Custom Malware New ChatGPT Lockdown Mode to Mitigate Prompt Injection and Data Exfiltration Attacks CISA Warns of Android Framework Integer Overflow Vulnerability Exploited in Attacks Hackers Use Malicious Ads to Deliver FlutterShell Backdoor on macOS Systems Latest News Cyber Security News New China-Linked Threat Cluster OP-512 Targets IIS Servers With Cryptographically Unique Web Shell Framework Cyber Security Check Point VPN 0-day Vulnerability Exploited in the Wild to Deploy Ransomware Cyber Security New Linux Kernel Vulnerability Lets Attackers Escalate Privileges to Root Cyber Security News New Pink Hacking Group Attacking Enterprise Users to Steal Cloud Storage Passwords Cyber Security News Malspam Attack Uses Google DoubleClick Redirects to Deliver Fileless .NET Loader
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗