21 0-Day Vulnerabilities in FFmpeg Enables Remote Code Execution Attacks

Depthfirst's autonomous security agent discovered 21 zero-day vulnerabilities in FFmpeg — including a critical heap buffer overflow in the AV1 RTP depacketizer that enables remote code execution via a single 183‑byte RTP/RTSP packet. The flaws span demuxers, decoders, and network-facing components used across browsers, streaming platforms, CCTV/surveillance, and cloud transcoding; a PoC exists and several CVEs have been assigned. Administrators should apply patches immediately and audit any pipelines that process untrusted RTSP/RTP streams.