ffmpeg is deployed everywhere, and old versions of ffmpeg are baked into a lot of devices.

If you have a device that does image, audio or video, libav and/or ffmpeg is likely somewhere in the stack. Your TV, camera, console or streaming device might use the software.

If you're using SaaS that does image, audio or video, they are likely using ffmpeg related software somewhere in their stack.

Same thing with apps, Android and iOS apps might use the libraries, as well as desktop apps.

  > VLC is pretty popular on windows, but ffmpeg?

  > Is there any commonly used windows app that relies on it?

VLC and ffmpeg share the same underlying library family (libav*) where this vulnerability lives.

> I doubt it'd be worth one's time to write exploits for desktop Linux

How many developers, network administrators, etc. run desktop Linux? Gaining access to those can be very, very valuable.

Depends if any important websites are re-compressing user-uploaded videos. If there's a website converting user-uploaded gifs to mp4 to save on bandwidth or something, I wouldn't be surprised if they used ffmpeg to do it.

Yes, lots. To name an example, yt-dip uses it on all platforms, including Windows, which means that any video downloader front-end that uses it also uses FFmpeg.