21 new zero‑day bugs have been reported in FFmpeg.
The findings come from a Depthfirst research team that identified 21 distinct flaws across the library’s core components, including buffer overflows, use‑after‑free errors, and out‑of‑bounds reads. The report lists eight remote code execution candidates and twelve issues that could lead to denial‑of‑service attacks. All vulnerabilities affect versions up to 7.0 and were disclosed to the FFmpeg maintainers on June 10.
FFmpeg powers everything from YouTube transcodes to video‑calling apps, so any exploitable flaw can ripple through a massive software ecosystem. Patch cycles for open‑source projects are often slower than commercial vendors, meaning downstream products may remain vulnerable for weeks. The breadth of the bugs also highlights the difficulty of auditing a codebase that spans over 2 million lines and supports dozens of codecs.
Given FFmpeg’s ubiquity, the real impact will depend on how quickly downstream projects apply the upcoming security patches—something that historically lags behind the upstream fixes.