Summary
ZeroPath published a seven-issue FFmpeg cluster on December 2, 2025. The reported issues span Android MediaCodec audio handling, RTMP client packet construction, ICY metadata parsing, RTP RFC4175 video handling, drawtext detection labels, WHIP muxing, and SCTP writes.
The issues include heap buffer overflows, stack off-by-one writes, invalid free behavior, and an underflow path that can turn a short buffer into a very large network send. ZeroPath says FFmpeg patched all seven and links each issue to an upstream patch.
Attribution
This is self-reported. ZeroPath supplies the AI-assisted SAST claim and the technical explanation of how the analyzer reasoned about allocation/copy alignment, protocol framing, capacity accounting, cardinality, and offset arithmetic.
The upstream patch links are enough to count the cluster as public and accepted, but not enough to count seven CVE-backed findings. Until CVE IDs or individual advisories appear, Bugflation indexes this as one no-CVE cluster.
Why it matters
FFmpeg is a mature, heavily exercised media stack. Finding multiple memory safety issues in less-traveled protocol, muxer, platform, and metadata paths is a useful bugflation signal: AI-assisted analysis can complement fuzzing by reasoning over paths that are hard to hit with normal harnesses.
References
- ZeroPath: Autonomously finding 7 FFmpeg vulnerabilities with AI
- FFmpeg patch: Android MediaCodec audio overflow
- FFmpeg patch: RTMP client buffer overflow
- FFmpeg patch: ICY metadata off-by-one
- FFmpeg patch: RTP RFC4175 overflow
- FFmpeg patch: drawtext buffer overwrite
- FFmpeg patch: WHIP invalid free
- FFmpeg patch: SCTP write underflow
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.