CVE-2026-30999

HighPublic PoC

Published: 13 April 2026

Published

13 April 2026

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0005 16.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30999 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Ffmpeg Ffmpeg. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the heap buffer overflow flaw in FFmpeg's av_bprint_finalize() function through timely patching or updates to prevent DoS exploitation.

SI-10 Information Input Validation good match

prevent

Validates and sanitizes crafted inputs before processing by FFmpeg to block heap buffer overflows triggered by malicious media files.

SI-16 Memory Protection good match

prevent

Implements memory protections like ASLR and heap canaries to mitigate the effects of heap buffer overflows in FFmpeg, preventing reliable DoS crashes.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Heap buffer overflow in FFmpeg enables remote unauthenticated attackers to crash the application via crafted input, directly mapping to application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A heap buffer overflow in the av_bprint_finalize() function of FFmpeg v8.0.1 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Deeper analysisAI

CVE-2026-30999 is a heap buffer overflow vulnerability, classified under CWE-122, affecting the av_bprint_finalize() function in FFmpeg version 8.0.1. Published on 2026-04-13, it enables attackers to trigger a Denial of Service (DoS) condition via a specially crafted input. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

The vulnerability can be exploited by remote, unauthenticated attackers requiring no privileges or user interaction, with low attack complexity over the network. Exploitation involves processing a malicious input, leading to a heap buffer overflow that crashes the affected FFmpeg instance and disrupts service availability, without compromising confidentiality or integrity.

Key references include a Notion site documenting CVE-2026-30999, FFmpeg doxygen source for zmqsend.c (version 7.0), the GitHub repository source for tools/zmqsend.c, and the official FFmpeg download page. Security practitioners should review these resources for code analysis and updates to address the vulnerability in FFmpeg deployments.