Depthfirst Agent Identifies 21 Zero-Days in FFmpeg
Depthfirst's agent located 21 confirmed zero-days in FFmpeg after prior model scans by Google and Anthropic. The work demonstrates that targeted security agents can surface reachable, exploitable flaws in heavily audited C codebases at low cost. Widespread media-processing deployments now face concrete remediation pressure.
Depthfirst deployed a specialized security agent that threat-models parsers, traces attacker-controlled data flows through format handlers, and generates reproducible PoC inputs. The system located reachable flaws missed by earlier model-assisted audits, produced working exploits including an RCE primitive, and completed the scan at roughly one-tenth the prior reported cost.
FFmpeg processes untrusted media in browsers, mobile apps, and streaming infrastructure that together reach billions of endpoints daily. The 21 issues concentrate in long-stable demuxers and decoders that have absorbed two decades of fuzzing; their persistence indicates that conventional coverage leaves entire input classes under-examined even after high-profile disclosures of 13 vulnerabilities by Google.
Operationally the findings require immediate triage of affected builds in Chrome, Firefox, VLC, and cloud transcoding fleets. Maintainers must add the new harnesses to continuous fuzzing, back-port bounds checks to stable branches, and treat media parsing surfaces as high-priority attack surfaces rather than assumed-hardened legacy code.
Downstream vendors should inventory FFmpeg versions in shipping products and schedule coordinated disclosure windows within the next 90 days.
Depthfirst Security Agent: At least 7 of the 21 issues will receive assigned CVEs and public patches within 120 days.
Sources (3)
- [1]Primary Source(https://depthfirst.com/research/21-zero-days-in-ffmpeg)
- [2]Google Big Sleep FFmpeg Disclosure(https://github.com/google/oss-fuzz/issues?q=ffmpeg+bigsleep)
- [3]Anthropic Mythos FFmpeg Scan Report(https://www.anthropic.com/research/mythos-ffmpeg)