21 zero-day issues were found in FFmpeg

Article excerpt

depthfirst’s production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, their agent produced concrete, reproducible proof of concept inputs to confirm its findings. Several of the findings had been sitting latent for 15 to 20 years. depthfirst explored the exploitability of the issues and developed a PoC demonstrating a remote code execution exploit primitive. Among the 21 findings, one stood out: a heap buffer overflow in FFmpeg’s AV1 RTP depacketizer (libavformat/rtpdec_av1.c). It is reachable from the network with no special flags. A victim only has to run ffmpeg -i rtsp://attacker/stream, the most ordinary command imaginable, and a single 183-byte packet is enoug