CVE-2026-30999: 
Ffmpeg 脆弱性の分析と軽減

CVE-2026-30999 is a heap-based buffer overflow vulnerability in the av_bprint_finalize() function of FFmpeg v8.0.1 that allows unauthenticated attackers to cause a Denial of Service (DoS) via crafted input. The vulnerability was published on April 13, 2026, and affects FFmpeg versions up to and including 8.0.1. It is classified as High severity with a CVSS v3.1 base score of 7.5, assessed by CISA-ADP (Github Advisory, Feedly).

The vulnerability is rooted in a heap-based buffer overflow (CWE-122) within FFmpeg's av_bprint_finalize() function, which is used in the zmqsend.c tool to finalize dynamically growing print buffers. The zmqsend utility reads input (from a file or stdin), accumulates it character-by-character into an AVBPrint buffer using av_bprint_chars(), and then calls av_bprint_finalize() — improper handling of crafted or oversized input can trigger the overflow condition. The attack vector is network-accessible (AV:N), requires no privileges or user interaction, and has low attack complexity, making it straightforward to trigger remotely against services that process attacker-controlled media or ZMQ messages (Github Advisory, FFmpeg Source).

Successful exploitation causes the FFmpeg process to crash, resulting in a Denial of Service condition. The impact is limited to availability — there is no confidentiality or integrity impact identified. Systems or services that rely on FFmpeg for media processing (e.g., streaming servers, transcoding pipelines) could be disrupted if they expose FFmpeg processing to untrusted inputs (Feedly, Github Advisory).

1. Reconnaissance: Identify systems running FFmpeg v8.0.1 or earlier, particularly those exposing ZMQ-based interfaces or processing untrusted media inputs. Tools like Shodan or Censys can help locate internet-facing FFmpeg-based services.
2. Craft malicious input: Prepare a specially crafted input (e.g., an oversized or malformed data stream) designed to trigger the heap buffer overflow in av_bprint_finalize() when processed by the zmqsend tool or any FFmpeg component using AVBPrint buffer finalization.
3. Deliver the payload: Submit the crafted input to the target FFmpeg process — either via a ZMQ message to a listening endpoint, a crafted media file, or stdin if the tool reads from standard input.
4. Trigger the crash: The malformed input causes av_bprint_finalize() to overflow the heap buffer, resulting in a process crash and DoS condition (Github Advisory, FFmpeg Source).

• Process: Unexpected crashes or core dumps of the FFmpeg process (ffmpeg, zmqsend), particularly with segmentation faults or heap corruption errors in logs.
• Logs: System logs (e.g., /var/log/syslog, application logs) showing repeated FFmpeg process terminations with signals such as SIGSEGV or SIGABRT, potentially correlated with unusual input sources.
• Network: Anomalous or oversized ZMQ messages sent to FFmpeg ZMQ listener endpoints; repeated connection attempts from unexpected source IPs to ZMQ ports (default TCP 5555).
• File System: Presence of core dump files in the FFmpeg working directory following unexpected process termination.

A patch is available — users should upgrade FFmpeg to a version beyond 8.0.1 as soon as possible (Feedly, FFmpeg Download). As a network-level workaround, restrict access to FFmpeg-based services and ZMQ endpoints so that only trusted sources can submit input. Additionally, monitor FFmpeg processes for unexpected crashes that may indicate exploitation attempts. Chainguard and Wolfi package maintainers have also addressed this CVE in their distributions (Vulners Chainguard).

The vulnerability received brief attention on social media platforms including Bluesky and Mastodon shortly after disclosure in April 2026, with automated CVE tracking accounts noting the new advisory. The Yocto Project security mailing list discussed the CVE in the context of embedded Linux CVE metrics tracking. No significant vendor statements or notable researcher commentary beyond routine tracking have been identified (Feedly).