CVE-2026-39217

21 zero-day vulnerabilities in FFmpeg, the world’s most widely deployed media processing library, including a critical RCE-capable heap buffer overflow reachable with a single 183-byte network packet.

The autonomous agent discovered vulnerabilities spanning the TS demuxer, VP9 decoder, RTP depacketizers, RTSP server, RTMP client, and more. Eight have been assigned CVEs:

CVE-2026-39210 – Heap Buffer Overflow in the TS demuxer (introduced in 2010).

CVE-2026-39211 – Integer Overflow in swscale (introduced 2010).

CVE-2026-39212 – Stack Overflow in ffmpeg opt.c (regression from July 2025).

CVE-2026-39213 – Heap Buffer Overflow in yuv4mpegenc (introduced 2023).

CVE-2026-39214 – Stack Buffer Overflow in the SDT implementation (introduced in 2003, latent for 23 years).

CVE-2026-39215 – Heap Buffer Overflow in update mb info() (introduced 2012).

CVE-2026-39216 – Heap Buffer Overflow in img2enc.c (introduced 2012).

CVE-2026-39217 – Heap Buffer Overflow in the VP9 decoder (regression from March 2025).

CVE-2026-39218 – Heap Buffer Overflow in the DASH demuxer (introduced in 2017).