Heap Overflow in FFmpeg EXIF

Nice find.

(I don’t see what this being reported during the Christmas holidays has to do with not revealing the disclosure and patch timeline, a “note that delays should be attributed to Christmas” would have sufficed.)

Hmm interesting. You can see recent edits to the file here https://github.com/FFmpeg/FFmpeg/commits/master/libavcodec/e...

This specific issue is fixed here https://github.com/FFmpeg/FFmpeg/commit/4bfac71ecd96488dd2dc...

https://x.com/FFmpeg/status/2006773495066464580

> Seeing as this has made the orange site, let it be known this person is a model security researcher.

> The issue was not in any FFmpeg release, and a report was sent three days after a new code was added to FFmpeg Git.

> There was no big CVE ADVISORY "MUH SECURITEH" "you need to fix this now or you will be hacked and the world will end" associated with the report.

> Pwno is a AI cybersecurity startup...

We all know that LLMs were used to find these vulnerabilities, specifically on high impact projects. That's fine.

However, my only question is who actually provided the patch: The maintainers of FFmpeg? The LLM that is being used? Or the security researchers themselves after finding the issue?

It seems that these two statements about the issue are in conflict:

> We found and patched 6 memory vulnerabilities in FFmpeg in two days.

> Dec, 2025: avcodec/exif maintainer provided patch.