Threat Advisory

FFmpeg Vulnerabilities Enable Malicious Media Decoding

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in FFmpeg (versions up to 6.x) and Google Chrome 149. The flaws span heap and stack overflows in media parsers, out‑of‑bounds reads and writes in graphics components, and numerous use‑after‑free and input‑validation errors. Exploitation can lead to remote code execution, sandbox escape, and denial‑of‑service conditions across any system that processes untrusted video streams or renders web content. Given the ubiquity of FFmpeg in media pipelines, container images and embedded devices, and Chrome’s role as a primary browser, the business risk includes data compromise, service interruption, and potential regulatory impact.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in FFmpeg (versions up to 6.x) and Google Chrome 149. The flaws span heap and stack overflows in media parsers, out‑of‑bounds reads and writes in graphics components, and numerous use‑after‑free and input‑validation errors. Exploitation can lead to remote code execution, sandbox escape, and denial‑of‑service conditions across any system that processes untrusted video streams or renders web content. Given the ubiquity of FFmpeg in media pipelines, container images and embedded devices, and Chrome’s role as a primary browser, the business risk includes data compromise, service interruption, and potential regulatory impact.[emaillocker id="1283"]

  • CVE-2026-10881 with a CVSS score of 9.6 – An out‑of‑bounds read and write in the ANGLE graphics engine can be triggered by a crafted web page, allowing the attacker to break the Chrome sandbox and execute arbitrary code on the host.
  • CVE-2026-39210 – A heap overflow in the TS demuxer can be triggered by a malicious transport‑stream file, enabling remote code execution when the file is processed.
  • CVE-2026-39211 – A stack overflow in the service‑description‑table parser allows attackers to corrupt memory and potentially run code with the privileges of the processing application.
  • CVE-2026-39212 – An out‑of‑bounds write in the VP9 decoder can be exploited by a crafted video stream to achieve arbitrary code execution.
  • CVE-2026-39213 – A heap overflow in the HLS demuxer permits execution of attacker‑controlled payloads when malicious playlists are opened.
  • CVE-2026-39214 – A buffer overread in the MP4 parser may lead to information disclosure and can be chained with other bugs for full compromise.
  • CVE-2026-39215 – An unchecked length field in the FLV demuxer results in a heap overflow that can be abused to execute code.
  • CVE-2026-39216 – A stack overflow in the AV1‑over‑RTP handling routine enables attackers to hijack control flow on vulnerable systems.
  • CVE-2026-39217 – A use‑after‑free in the codec initialization path can be triggered by crafted input, leading to remote code execution.
  • CVE-2026-39218 – An integer overflow in the MPEG‑TS packet parser allows memory corruption and potential privilege escalation.

The combined exposure of critical media processing libraries and a dominant web browser creates a high‑severity risk that demands swift attention. Exploitation could grant attackers full system control, facilitate data exfiltration, and cause service outages, resulting in operational disruption and possible compliance repercussions.

RECOMMENDATION:

  • We recommend you to update Chrome to version 149.0.7827.53 on Linux or version 149.0.7827.53/54 on Windows and macOS.

REFERENCES:

The following reports contain further technical details:
https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html

[/emaillocker]
crossmenu