A recent investigation by an autonomous security agent has uncovered 21 zero-day vulnerabilities in FFmpeg, a vital media processing library used worldwide. Among these is a serious heap buffer overflow vulnerability, capable of remote code execution, triggered by a mere 183-byte network packet.
FFmpeg’s Critical Role in Digital Media
FFmpeg is a crucial component in numerous digital platforms, including web browsers, streaming services, and cloud infrastructures. This open-source library, consisting of approximately 1.5 million lines of C code, is essential for parsing a multitude of complex media formats. Over the years, it has undergone extensive fuzzing and manual audits to ensure its security.
Previously, Google’s Big Sleep team reported 13 vulnerabilities in FFmpeg, and the Mythos model by Anthropic further identified security issues. Building on these findings, the security firm Depthfirst utilized an autonomous agent to scan FFmpeg’s code, revealing 21 new zero-day vulnerabilities with an investment of about $1,000, significantly less than Anthropic’s expenditure.
Unveiling of New Vulnerabilities
Depthfirst’s specialized security agent focuses on threat modeling across extensive codebases, identifying input entry points controlled by attackers, tracing data flow, and confirming the reachability of vulnerable paths. This process ensures the elimination of false positives, with proof-of-concept (PoC) code published on GitHub by Zhenpeng (Leo) Lin of Depthfirst.
The discovered vulnerabilities are diverse, affecting various components such as the TS demuxer, VP9 decoder, and RTP depacketizers. Among these, eight vulnerabilities have been assigned CVEs, including heap and stack buffer overflows, and integer overflow issues, each with unique paths of introduction.
Implications and Precautions for FFmpeg Users
The most severe vulnerability, identified as DFVULN-127, is found within FFmpeg’s AV1 RTP depacketizer. This flaw involves handling Temporal Delimiter OBUs, where improper memory management allows attackers to take control of the instruction pointer by corrupting a free function pointer.
A functional PoC demonstrates that a single 183-byte RTP packet over RTSP can redirect execution without requiring user interaction or special configurations. This exposes systems using FFmpeg, such as media pipelines and surveillance systems, to significant risks.
Administrators are strongly advised to apply patches immediately and review any systems processing untrusted RTSP or RTP streams to safeguard against these vulnerabilities. Ongoing vigilance and prompt updates are crucial for maintaining security in network-facing deployments.
