CVE-2026-30998

HighPublic PoC

Published: 13 April 2026

Published

13 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 14.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30998 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Ffmpeg Ffmpeg. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 Flaw Remediation requires identifying, prioritizing, and patching flaws like the improper resource deallocation in FFmpeg's zmqsend.c, directly preventing DoS exploitation via crafted inputs.

SC-6 Resource Availability good match

prevent

SC-6 Resource Availability protects against resource exhaustion from leaks triggered by malformed input files processed by the vulnerable zmqsend.c tool.

SC-5 Denial-of-service Protection good match

prevent

SC-5 Denial-of-service Protection limits the impact of resource consumption attacks exploiting the FFmpeg vulnerability to crash the zmqsend tool.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE describes remote exploitation of a resource leak (CWE-400) in FFmpeg's zmqsend tool via crafted input, directly enabling application/system DoS via vulnerability exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input file.

Deeper analysisAI

CVE-2026-30998 is an improper resource deallocation and closure vulnerability in the tools/zmqsend.c component of FFmpeg version 8.0.1. This flaw, classified under CWE-400 (Uncontrolled Resource Consumption), enables attackers to trigger a Denial of Service (DoS) condition by providing a specially crafted input file to the affected tool. The vulnerability received a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its high severity due to the potential for significant availability impact.

Remote attackers can exploit this vulnerability without privileges or user interaction by supplying a malicious input file to the zmqsend.c tool, which is part of FFmpeg's tooling for ZeroMQ-based sending operations. Successful exploitation leads to resource leaks or exhaustion, causing the tool to crash or become unresponsive, resulting in a DoS.

For mitigation details, refer to the primary advisory at https://excellent-oatmeal-319.notion.site/CVE-2026-30998-Resource-Leak-3265a71f9cca4dc58df4632ce8b60a50, along with the affected source code in FFmpeg's doxygen documentation at https://ffmpeg.org/doxygen/7.0/zmqsend_8c_source.html and the GitHub repository at https://github.com/FFmpeg/FFmpeg/blob/master/tools/zmqsend.c.