21 Zero-Days in FFmpeg | depthfirst
depthfirst.com
depthfirst's production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.

TLDR: depthfirst’s production autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg, after intensive security analysis by Google and Anthropic. Moving beyond theoretical analysis, our agent produces concrete, reproducible PoC inputs to confirm its findings at a fraction of the costs ($1k vs. $10k). Several of the findings had been sitting latent for 15 to 20 years. We explored the exploitability of the issues and developed a PoC demonstrating a RCE exploit primitive.

  • floquant@lemmy.dbzer0.comEnglish
    43·
    12 days ago

    Back in my day, zero-day meant exploited in the wild first, described publicly later. Or a disclosure without involving the target with an exploit attached.

    • Venator@lemmy.nzEnglish
      51·
      12 days ago

      I guess they must’ve published this without notifying ffmpeg first?

        • Venator@lemmy.nzEnglish
          3·
          12 days ago

          dunno, I didn’t open the article because the title claims they did and I don’t want to encourage that sort of behavior with engagement 😜