FFmpeg’s 21 Zero-Day Vulnerabilities Expose Systems to Remote Code Execution
In a significant cybersecurity development, an autonomous security agent has identified 21 zero-day vulnerabilities within FFmpeg, the globally utilized media processing library. Among these, a critical heap buffer overflow vulnerability has been discovered, which can be exploited with a mere 183-byte network packet, potentially leading to remote code execution (RCE).
FFmpeg’s Pervasive Role in Media Processing
FFmpeg is integral to media processing across various platforms, including web browsers, streaming services, surveillance systems, and cloud infrastructures. Its extensive codebase, comprising approximately 1.5 million lines of optimized C code, supports the parsing of numerous complex media formats. Despite over two decades of rigorous testing and manual audits, these newly discovered vulnerabilities highlight persistent security challenges.
Discovery and Analysis of the Vulnerabilities
Building upon previous research by Google’s Big Sleep team and Anthropic’s Mythos model, security firm Depthfirst deployed a specialized autonomous agent to scrutinize FFmpeg’s codebase. This agent conducted comprehensive threat modeling, tracing data flows, and validating the reachability of potential vulnerabilities. The result was the identification of 21 previously unknown zero-day vulnerabilities at an approximate cost of $1,000, significantly less than prior efforts.
Details of the Identified Vulnerabilities
The vulnerabilities span various components of FFmpeg, including the TS demuxer, VP9 decoder, RTP depacketizers, RTSP server, and RTMP client. Eight of these vulnerabilities have been assigned Common Vulnerabilities and Exposures (CVE) identifiers:
– CVE-2026-39210: Heap Buffer Overflow in the TS demuxer, introduced in 2010.
– CVE-2026-39211: Integer Overflow in swscale, introduced in 2010.
– CVE-2026-39212: Stack Overflow in ffmpeg_opt.c, a regression from July 2025.
– CVE-2026-39213: Heap Buffer Overflow in yuv4mpegenc, introduced in 2023.
– CVE-2026-39214: Stack Buffer Overflow in the SDT implementation, introduced in 2003 and latent for 23 years.
– CVE-2026-39215: Heap Buffer Overflow in update_mb_info(), introduced in 2012.
– CVE-2026-39216: Heap Buffer Overflow in img2enc.c, introduced in 2012.
– CVE-2026-39217: Heap Buffer Overflow in the VP9 decoder, a regression from March 2025.
Additional unassigned vulnerabilities were found in components such as the RTP AV1 depacketizer, AVI demuxer, CAF demuxer, RTSP SDP parser, RTMP client, and AVIF overlay path, some of which have remained dormant for over 15 years.
The Most Severe Vulnerability: DFVULN-127
The most critical of these findings, designated as DFVULN-127, is a heap buffer overflow in FFmpeg’s AV1 RTP depacketizer (libavformat/rtpdec_av1.c). This flaw arises from improper handling of Temporal Delimiter (TD) Open Bitstream Units (OBUs), which are markers separating video frames. When a TD is encountered, the code advances the write cursor by the attacker-specified obu_size without allocating corresponding memory or advancing the input pointer. This leads to two issues: the write cursor becomes corrupted, and the next iteration re-parses the TD’s bytes as a new OBU with attacker-controlled content. The resulting corruption affects an AVBuffer struct allocated immediately after the data buffer by FFmpeg’s posix_memalign-based allocator.
Implications and Recommendations
The discovery of these vulnerabilities underscores the critical need for continuous security assessments of widely used open-source libraries like FFmpeg. Organizations relying on FFmpeg for media processing should promptly apply patches and updates to mitigate potential exploitation risks. Additionally, developers are encouraged to implement robust input validation and memory management practices to prevent similar vulnerabilities in the future.
