Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

FFmpeg parser/demuxer overflows (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

FFmpeg now has 21 confirmed zero-days, creating risk for any product that bundles the media library and processes untrusted video input. The findings include heap and stack overflows in parsers and demuxers, and each bug has a reproducible proof-of-concept. Several flaws were latent for 15 to 20 years, including one stack overflow dating to 2003. Some issues already map to CVE-2026-39210 through CVE-2026-39218, while the rest are fixed but not yet numbered.

Related Happenings

Linux kernel Dirty Frag local root escalation privilege-escalation flaw

Vulnerability
First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **Dirty Frag** is a newly disclosed **Linux kernel** zero-day that can give **local attackers root privileges** on **most major Linux distributions**. The flaw is anchored in the...

Open Happening

Ghostscript OpenSC and CGIF memory corruption flaws memory corruption flaw

Vulnerability
First: 06.02.2026 07:49 Last: 06.02.2026 07:49 Sources 1

About this happening: **Ghostscript**, **OpenSC**, and **CGIF** were among the open-source libraries affected by a newly disclosed batch of **more than 500 previously unknown high-severity flaws**. The...

Open Happening

Timeline

  1. 06.06.2026 10:28 2 articles · 2h ago

    depthfirst finds 21 zero-days in FFmpeg

    Initial Disclosure

    depthfirst's autonomous security agent scanned about 1.5 million lines of C in FFmpeg and produced 21 confirmed zero-days, each with a reproducible proof-of-concept input. Several of the bugs already carry CVE-2026-39210 through CVE-2026-39218, and one stack overflow in the service-description-table code dates to 2003.

    Show sources
    Open in new tab