this post was submitted on 07 Jun 2026
111 points (84.5% liked)

Technology

85208 readers
5112 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
111
AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs (thehackernews.com)
submitted 1 day ago by themachinestops@lemmy.dbzer0.com to c/technology@lemmy.world
38 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] greyscale@lemmy.grey.ooo 35 points 1 day ago (9 children)

What the fuck is a zero day in the context of ffmpeg?

Its not like its a system service that you can get ingress through..

"AI found 21 bugs in massive video project" sounds like junior developer shit hungry to get some shit on their resume.

Even if it wasn't AI slop, this wouldn't be impressive.

[–] Jason2357@lemmy.ca 1 points 3 hours ago

Indeed. AI agents cannot "discover" zero days, they can only discover vulnerabilities. The humans can create zero days by reporting the vulnerability in the media without disclosing it properly.

[–] gandalf_der_12te@feddit.org 8 points 19 hours ago (1 children)

if you upload any image on lemmy, it goes through ffmpeg to be converted into a webp file.

now, you can feed arbitrary input to that ffmpeg process

[–] null@lemmy.zip 1 points 19 hours ago (2 children)

I never thought of doing that with ffmpeg. Why ffmpeg, instead of imagmagick?

[–] gandalf_der_12te@feddit.org 10 points 19 hours ago

ffmpeg is on any system, has a consistent user interface for many different conversions

[–] 8uurg@lemmy.world 4 points 17 hours ago* (last edited 9 hours ago)

It just so happens that many video codecs are based on image formats, so ffmpeg already has a lot of the complex machinery to do so available to also implement these image formats - internally it can just handle it as a single frame of video with specialized formats for that.

Imagemagick (and other tools) also work, but why use multiple pieces of software if what you already have is adequate? ImageMagick is also software, and can also have vurnabilities.

[–] karlhungus@lemmy.ca 26 points 1 day ago (1 children)

My understanding is that ffmpeg is the bedrock that all video streaming services use. I'm suspicious it's a bigger deal than you think

[–] filcuk@lemmy.zip 4 points 19 hours ago

Don't forget various conversion services, which includes photo cloud backups.

[–] VibeSurgeon@piefed.social 37 points 1 day ago (1 children)

Its not like its a system service that you can get ingress through..

With a competently crafted payload, you could perhaps get in via someone's transcoding pipeline.

[–] greyscale@lemmy.grey.ooo 4 points 1 day ago (2 children)

Does nobody isolate ffmpeg and friends from their application?

I can't imagine you'd have much fun breaking into a container that terminates the moment the original ffmpeg stops, or over-runs its max execution time..

[–] panda_abyss@lemmy.ca 19 points 1 day ago (1 children)

Container escapes do exist, and they have shared kernel with the host

[–] Passerby6497@lemmy.world 4 points 1 day ago

If you're running rootless containers, it's less of a concern. I'm trying to move all of my public containers to podman for this reason

[–] VibeSurgeon@piefed.social 1 points 19 hours ago

Sure, you'd need a second exploit to escalate from there.

ffmpeg is expected to run for extended periods of time, given its use in transcoding.

[–] Zarxrax@lemmy.world 20 points 1 day ago

From the article

Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder. depthfirst says some already carry CVE identifiers; its writeup lists nine, CVE-2026-39210 through CVE-2026-39218, and notes the rest are fixed but not yet numbered. It also published a PoC.

[–] tomalley8342@lemmy.world 17 points 1 day ago

I imagine there are many web services around the world which use ffmpeg to handle user submitted content.

[–] fonix232@fedia.io 13 points 1 day ago

Tell me you know nothing about the intricacies of media playback (especially hardware accelerated), without telling me...

[–] nitroemdash@lemmy.wtf 2 points 18 hours ago (1 children)

FFMPEG in the command line generally has permission to access the entire non-sudo filesystem and delete files.

[–] greyscale@lemmy.grey.ooo 1 points 16 hours ago (1 children)

Yes but why are we allowing user input to be fed to an executable in that environment?

[–] LodeMike@lemmy.today 3 points 16 hours ago

This is the environment that almost all user software is executed.