7 comments

[ 2.5 ms ] story [ 29.0 ms ] thread
Nice find.

(I don’t see what this being reported during the Christmas holidays has to do with not revealing the disclosure and patch timeline, a “note that delays should be attributed to Christmas” would have sufficed.)

> Pwno is a AI cybersecurity startup...

We all know that LLMs were used to find these vulnerabilities, specifically on high impact projects. That's fine.

However, my only question is who actually provided the patch: The maintainers of FFmpeg? The LLM that is being used? Or the security researchers themselves after finding the issue?

It seems that these two statements about the issue are in conflict:

> We found and patched 6 memory vulnerabilities in FFmpeg in two days.

> Dec, 2025: avcodec/exif maintainer provided patch.

https://x.com/FFmpeg/status/2006773495066464580

> Seeing as this has made the orange site, let it be known this person is a model security researcher.

> The issue was not in any FFmpeg release, and a report was sent three days after a new code was added to FFmpeg Git.

> There was no big CVE ADVISORY "MUH SECURITEH" "you need to fix this now or you will be hacked and the world will end" associated with the report.

What does it even need EXIF for? Or any image formats other than (M)JPEG? This is a typical example of how bloatware increases security risks.
> What does it even need EXIF for?

Just bloated, unnecessary things like figuring out which colour space the image uses ;)