🦞 Stacking truths daily 🤡

Blog News

FFmpeg Had 21 Zero‑Days Sitting for 20 Years — We Can Find Yours Faster | Stack of Truths

pedrojose 0
FFmpeg Had 21 Zero‑Days Sitting for 20 Years — We Can Find Yours Faster | Stack of Truths
ABOUT SERVICES TESTIMONIALS FAQ CONTACT

FFmpeg Had 21 Zero‑Days Sitting for 20 Years — We Can Find Yours Faster

June 9, 2026 — 6 min read — Pedro Jose

FFmpeg processes video everywhere — browsers, streaming platforms, CCTV systems, media pipelines. It has been fuzzed, audited, and attacked for two decades.

Last week, a security agent found 21 zero‑day vulnerabilities in FFmpeg. Some had been hiding for 20+ years. The cost to find them? About $1k.

Your codebase is smaller. Your budget is tighter. And the clock is already ticking.

⚡ THE HARD TRUTH

If a $1k automated scan can find 20‑year‑old bugs in one of the most hardened codebases on earth, imagine what a focused human pentest can find in your infrastructure. You don’t need a million‑dollar security team. You need someone who knows where to look.

What FFmpeg Taught Us

The depthfirst research team ran their autonomous security agent against FFmpeg. The results were brutal:

  • 🔴 21 zero‑days discovered
  • 📅 Some bugs had been sitting 15–23 years undetected
  • 💰 Total cost: $1k (10% of what Anthropic spent with Mythos)
  • 💥 One RTE primitive in the AV1 RTP depacketizer — a single 183‑byte packet is enough to take over a server
  • 🎯 Vulnerabilities in components ranging from the TS demuxer (CVE‑2026‑39210) to the VP9 decoder (CVE‑2026‑39217)

Google’s Big Sleep team had already found 13 bugs. Anthropic’s Mythos model found several more. Then depthfirst ran their agent and found 21 that everyone else missed.

📌 THE REAL KICKER

The most dangerous bug — a heap buffer overflow in the AV1 RTP depacketizer — was introduced in 2024. It took just over a year to find. The second most dangerous? A stack overflow in the SDT implementation from 2003. 23 years. Nobody noticed.

What This Means for Your Business

You are not FFmpeg. You don’t have 1.5 million lines of C code. You don’t have Google and Anthropic auditing your repos. Your vulnerabilities are probably easier to find — and just as damaging.

If a $1k automated agent can find 20‑year‑old RCEs in heavily hardened software, what can a focused human pentester find in your custom application?

  • Exposed dev databases with default credentials — found in hours
  • API keys in public GitHub commits — from 18 months ago, still active
  • Misconfigured S3 buckets — leaking customer data right now
  • Business logic flaws — no scanner will ever find them, but attackers will
🧠 THE SCARY PART

FFmpeg had 21 zero‑days. Some for over 20 years. They were discovered not by a massive security team, but by a targeted, intelligent system that cost $1k to run. Attackers are using the same technology. Your code is next.

Why You Need a Human Pentester (Not Just a Scanner)

Automated scanners are good at finding low‑hanging fruit. They are terrible at understanding business logic, chaining low‑risk issues into critical breaches, or finding the things your team forgot existed.

A human pentester brings:

  • Context. I understand your business, your risk tolerance, your architecture.
  • Creativity. I don’t just scan for patterns — I think like an attacker.
  • Chaining. One vulnerability is a finding. Three chained together is a breach.
  • Actionable reporting. Not 200 pages of noise. A short list of what to fix and how.

The FFmpeg bugs were found by an agent. But that agent was still guided by humans who knew where to point it. You need the same — a dedicated pentester who knows your stack and your threats.

🔐 WHAT A REAL PENTEST LOOKS LIKE

✅ External reconnaissance — subdomains, open ports, exposed services
✅ Active exploitation — default creds, unpatched vulns, misconfigured APIs
✅ Credential harvesting — IAM keys, database passwords, API tokens
✅ Lateral movement — from dev environment to production in hours
✅ Clear, actionable report — 50 pages, every finding real, every fix explained

The Cost‑Benefit — $1k for 21 Zero‑Days

Depthfirst spent $1k to find 21 critical vulnerabilities in FFmpeg. Let’s put that in perspective:

⚠️ THE BOTTOM LINE

FFmpeg had 21 zero‑days. Some sat for 20 years. They were found for $1k.

Your code has vulnerabilities. Some have been sitting for years. Attackers are looking right now.

You don’t need a million‑dollar security team. You need someone who knows where to look, how to chain findings, and how to tell you what to fix.

Let’s find your vulnerabilities before someone else does.
🦞🔐

FFmpeg’s bugs hid for 20 years. Yours won’t.

Full AI Agent Pentest: €3,000. Infrastructure pentest: €3,000. Security retainer: €1,500/month.

📩 DM @StackOfTruths on X

Free 15-min consultation. No hard sell. Just honest answers about your real exposure.

TwitterPost on X
FollowFollow us

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every month.

We don’t spam! Read our privacy policy for more info.

pedrojose

Website: https://stackoftruths.com

AI security expert. 10 years cybersecurity, 5 years AI. Founder of Stack of Truths and creator of OpenClaw Security Sentinel.

Related Story

Leave a Reply

Your email address will not be published. Required fields are marked *


You cannot copy content of this page

error

Enjoy this blog? Please spread the word :)

InvestmentOutcome
$1k (automated agent) + human oversight21 zero‑days discovered, some latent for 20+ years
$3k (full AI agent pentest)Real findings in your actual infrastructure
$1,500/month (retainer)Quarterly deep dives, monthly scans, 24/7 support
Compare to: €50k+ for a big‑firm one‑time test that finds 80% false positives