Twenty One Zero-Days in FFmpeg
4 hours ago
- #Zero-Day
- #Autonomous Security
- #FFmpeg
- Depthfirst's autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg.
- The vulnerabilities were found at a cost of roughly $1k, which is 10% of what Anthropic spent using Mythos.
- Eight of the vulnerabilities have been assigned CVEs, with the rest identified by internal tracking IDs.
- Several vulnerabilities had been latent for 15 to 20 years, including one introduced in 2003.
- The security agent performs threat modeling, audits attack surfaces, validates data flow, and generates reproducible PoC inputs.
- A highlighted vulnerability is a heap buffer overflow in the AV1 RTP depacketizer, exploitable via a single RTP packet.
- The exploit allows remote code execution by corrupting an AVBuffer struct's free function pointer.
- The bug is reachable from the network without special flags, requiring only a standard RTSP stream command.
- Findings span multiple FFmpeg components, including demuxers, decoders, and parsers.
- The system confirms vulnerabilities by execution, ensuring findings are real and actionable.