frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Renault: Electric motors with no rare earths

https://www.renaultgroup.com/en/magazine/energy-and-powertrains/all-about-electric-motors-with-no...
136•bestouff•2h ago•40 comments

CRISPR tech selectively shreds cancer cells, including "undruggable" cancers

https://innovativegenomics.org/news/crispr-technique-selectively-shreds-cancer-cells/
674•gmays•9h ago•172 comments

Show HN: Putt.day a daily mini golf game

https://putt.day/
48•ellg•1h ago•37 comments

Swift at Apple: Migrating the TrueType hinting interpreter

https://www.swift.org/blog/migrating-truetype-hinting-to-swift/
114•DASD•4h ago•49 comments

Twenty One Zero-Days in FFmpeg

https://depthfirst.com/research/21-zero-days-in-ffmpeg
61•redbell•2h ago•25 comments

How to setup a local coding agent on macOS

https://ikyle.me/blog/2026/how-to-setup-a-local-coding-agent-on-macos
238•kkm•6h ago•70 comments

Malware developers added nuclear and biological weapons text to to their spyware

https://twitter.com/jsrailton/status/2064661778978533571
283•marc__1•1d ago•183 comments

Pirates, a naval warfare game inspired by Sid Meier's Pirates

https://piwodlaiwo.github.io/pirates/
184•iweczek•7h ago•72 comments

H.R. 6028 would fundamentally change the U.S. Copyright Office

https://www.eff.org/deeplinks/2026/06/congress-just-rushed-through-disastrous-copyright-office-ov...
102•Cider9986•2d ago•22 comments

Palantir loses legal challenge against Swiss investigative magazine

https://www.ft.com/content/7ffcace7-9dc0-4e7e-9912-895ac073f979
171•sschueller•3h ago•36 comments

Slightly reducing the sloppiness of AI generated front end

https://envs.net/~volpe/blog/posts/reduce-slop.html
160•FergusArgyll•9h ago•108 comments

/architect: Reduce Fable tokens by 80%, Fable orchestrates/reviews, Codex builds

https://github.com/DanMcInerney/architect-loop
27•DanMcInerney•4h ago•19 comments

Launch HN: BitBoard (YC P25) – Analytics Workspace for Agents

https://bitboard.work/
34•arcb•7h ago•19 comments

SkillSpector

https://github.com/NVIDIA/SkillSpector
12•taubek•2h ago•0 comments

AMD Stiffs Researcher $10k Bug Bounty

https://www.gadgetreview.com/amd-stiffs-researcher-10000-bug-bounty-after-critical-security-flaw-...
29•worik•1h ago•1 comments

"Don't You Just Upload It to ChatGPT?"

https://correresmidestino.com/dont-you-just-upload-it-to-chatgpt/
283•speckx•6h ago•251 comments

Introduction to UEFI HTTP(s) Boot with QEMU/OVMF

https://blog.yadutaf.fr/2026/06/12/introduction-to-uefi-https-boot-qemu-ovmf/
76•jtlebigot•9h ago•26 comments

Where Did Earth Get Its Oceans? Maybe It Made Them Itself

https://www.quantamagazine.org/where-did-earth-get-its-oceans-maybe-it-made-them-itself-20260612/
100•ibobev•9h ago•57 comments

Adaptive PDFs

https://sgaud.com/texts/pdf
117•SarthakGaud•8h ago•61 comments

If you are asking for human attention, demonstrate human effort

https://tombedor.dev/human-attention-and-human-effort/
1493•jjfoooo4•1d ago•458 comments

Most Beautiful Will Ever Made (1936)

https://paperspast.natlib.govt.nz/newspapers/DOM19360307.2.43
37•cf100clunk•6h ago•12 comments

The forgotten Scots who gave Kafka his voice

https://engelsbergideas.com/reviews/the-forgotten-scots-who-gave-kafka-his-voice/
3•the-mitr•1d ago•0 comments

Show HN: Turn your name into a tree in an infinite procedural shanshui landscape

https://landscape.bairui.dev/
13•subairui•2d ago•3 comments

I Think They [Anthropic] Are Lying to You [video]

https://www.youtube.com/watch?v=zfYsSFY4l18
27•salutis•1h ago•12 comments

Maxproof

https://arxiv.org/abs/2606.13473
127•ilreb•12h ago•12 comments

There Is Life Before Main in Rust

https://grack.com/blog/2026/06/11/life-before-main/
65•mmastrac•1d ago•17 comments

I Am Not a Reverse Centaur

https://blog.miguelgrinberg.com/post/i-am-not-a-reverse-centaur
251•ibobev•6h ago•180 comments

WASI 0.3

https://bytecodealliance.org/articles/WASI-0.3
228•mavdol04•10h ago•89 comments

Hazel (YC W24) Is Hiring a Full Stack Engineer

https://www.ycombinator.com/companies/hazel-2/jobs/3epPWgu-full-stack-engineer-ts-sci
1•augustschen•11h ago

Nobody ever gets credit for fixing problems that never happened (2001) [pdf]

https://web.mit.edu/nelsonr/www/Repenning=Sterman_CMR_su01_.pdf
721•sam_bristow•23h ago•243 comments
Open in hackernews

Twenty One Zero-Days in FFmpeg

https://depthfirst.com/research/21-zero-days-in-ffmpeg
61•redbell•2h ago

Comments

bethekidyouwant•1h ago
How does the browser use it ?unless they mean there’s a zero day in libavcodec
fpoling•1h ago
Browsers run it in a sandbox process together with allocator hardening. Most of the bugs then are just crashed of the sandbox

Another option is WASM or WASM-style sandboxes if using another process is undesirable.

johnnythunder•1h ago
One chained sandbox escape away from compromise.
ttoinou•1h ago
Ahah

But are the compiler+OS that runs the ffmpeg executable really a sandbox ?

loeg•29m ago
Which is of course better than zero sandbox escapes.
nemothekid•1h ago
>The reach of this bug is what makes it serious. Any deployment that points FFmpeg at an attacker-influenced RTSP URL is exposed: media ingest pipelines fetching user-supplied stream URLs, surveillance and CCTV systems pulling RTSP feeds, and transcoding services processing remote AV1-over-RTP sources

Wow this is actually pretty serious - I'm even surprised its being published. There are several services where I can imagine this is exploitable today.

akerl_•1h ago
Some people might suggest it’s crucial to publish if you’re aware of a serious vulnerability, so that people using the software in a vulnerable way can take steps to mitigate the risk.
skupig•31m ago
You would also need some sort of ASLR leak to make this exploitable
jacobgold•1h ago
I've been using ffmpeg for a very long time, both personally and for services I've built. Fabrice Bellard is a genius, and the developers who have taken it so far have made the world measurably richer.

But I can't think of a program more worthy of sandboxing when run with untrusted input than ffmpeg. It's a huge amount of C dealing with the most complicated video and audio codecs, which is notoriously impossible to get completely right.

But it's not actually that big of a problem. I run ffmpeg inside a VM or gVisor, and the end result is usually a video file that I'm perfectly willing to play in my browser, where it gets decoded in yet another sandbox because this shit is hard.

Gehinnn•1h ago
What do you mean "video file that I'm perfectly willing to play in my browser". Isn't it safe to assume that no video file can escape the browser decoding sandbox?
thaumasiotes•1h ago
> Isn't it safe to assume that no video file can escape the browser decoding sandbox?

Why would that be safe to assume? If that were a reasonable assumption, you could just as well assume that it's safe to run ffmpeg.

ttoinou•1h ago
The parent does argues it is safer to sandbox ffmpeg yes
Denvercoder9•49m ago
I'm not up-to-speed with the current state of sandboxing in browsers, but in principle it's (on modern operating systems) not especially hard for them to sandbox the decoding into a separate process with basically no privileges beyond rendering a video stream. It's a bit trickier if we're only considering demuxing and delegating decoding to the hardware, but that's a much smaller attack surface.

A manually run ffmpeg on the command line does nothing to restrict its privileges, and its security model has very little interest in doing so, while browsers very much have.

wavemode•1h ago
> At this point the corrupted free pointer is called, and control of the instruction pointer is ours.

Very serious, though in practice it doesn't sound like this bug achieves arbitrary RCE on its own (especially in the presence of ASLR). You would need there to be some writable and executable page of memory lying around.

skupig•25m ago
The article glosses over this, but it looks like the next variable in the struct is conveniently the first parameter to the function, so you can run arbitrary code with system() or whatever. But, yeah, you would need some other exploit to defeat ASLR.
ttoinou•1h ago
Is the future of defense-against-foreign-agents-on-my-codebase to subtly hide prompt injections into one’s codebase that would defeat agents to find security bugs ?

If the attackers of ffmpeg need to be using such those authors’ services to find RCE in popular tools to attack, what the ffmpeg team needs to defeat attackers is to reduce efficiency of such tools depthfirst

Davidzheng•58m ago
No...
fizzynut•54m ago
I find difficult to know how serious the issue is, if it is even an issue.

LLM constantly confidently giving me this same sounding script with a "the root cause" and how it "is simple" while being completely incorrect.

zerobees•50m ago
Ffmpeg has an exceptionally terrible track record when it comes to security. People have been throwing fuzzers at it for as long as I remember and coming back with a nearly inexhaustible supply of memory corruption bugs. Here's an effort by one Googler a decade ago:

https://security.googleblog.com/2014/01/ffmpeg-and-thousand-...

So, while it's a demo of the capabilities of LLMs, this should not be at all surprising. Ffmpeg is absolutely not something you should be running outside of a sandbox if you're touching any untrusted or user-supplied content. I know that people do, and these people are taking unreasonable risks.

loeg•32m ago
They're also extremely hostile to security researchers who report these issues.
bayouborne•43m ago
What about VLC's own built-in versions of decoding libraries (I think, from the FFmpeg project)? Is there a scenario here where we may have to deal with malicious MP4 files?
omoikane•41m ago
Is there a timeline for each of these bugs? I wonder if these bugs had been reported to ffmpeg yet.
Philpax•27m ago
"No way to prevent this" say users of only language where this regularly happens, etc, etc. Several of these bugs do not appear to be in hot code and would have been detected by a language with saner behaviour.
da_chicken•15m ago
That's not what "zero-day" means.
cyberax•52m ago
But then you also often need hardware accelerators for encoding, so you need to use C again.