AI Agent Finds 21 Zero-Days in FFmpeg for $1,000
A startup's autonomous agent surfaced 21 previously unknown vulnerabilities in FFmpeg — including bugs dormant for over two decades — for roughly $1,000 in compute. The same week, Chrome 149 shipped 429 patches, a single-release record.
A security startup called depthfirst ran an autonomous AI agent against FFmpeg's codebase last week and came back with 21 confirmed zero-day vulnerabilities, each paired with a reproducible proof-of-concept. The total compute cost was roughly $1,000.
FFmpeg is not an obscure library. It handles video and audio encoding, decoding, muxing, and streaming inside applications that collectively reach billions of users — from browsers and media players to conference software and content delivery infrastructure. Its attack surface has been audited by human researchers for years. The AI agent found two decades of missed bugs in a single run.
What the Agent Found
The 21 vulnerabilities are concentrated in the components of FFmpeg that process untrusted input before anything else does: the MPEG-TS demuxer, the VP9 decoder, several RTP depacketizers, the swscale scaler, and the DASH and AVI demuxers. Most are heap or stack buffer overflows and integer overflows — the classic memory-safety failures that accumulate in large, long-lived C codebases.
Nine have been assigned CVE identifiers so far, running from CVE-2026-39210 through CVE-2026-39218. The remaining 12 have been patched upstream but not yet numbered. depthfirst has published proof-of-concept code.
The oldest bug in the set is a stack overflow in the service-description-table parser, now tracked as CVE-2026-39214. It dates to 2003. It sat in the codebase for 23 years through countless code reviews, fuzzing runs, and security audits before an AI agent surfaced it in one pass.
The Context
FFmpeg is not new to AI-assisted bug hunting. Google's Big Sleep agent reported a separate set of FFmpeg vulnerabilities last year, and Anthropic's Mythos model pulled a 16-year-old H.264 flaw from the same codebase in an earlier research run. What is new with depthfirst's result is the scale relative to cost. The startup claims its agent covered roughly 1.5 million lines of C at a total compute expense that a single security engineer earns in a day.
The practical implication is not simply that AI finds bugs. It is that the economics of vulnerability research have changed. Finding 21 confirmed zero-days with reproducible proofs-of-concept for $1,000 is not a research milestone — it is a pricing signal. Attackers are doing the same math.
Chrome 149 and the Volume Problem
The same week, Google shipped Chrome 149 with patches for 429 security vulnerabilities, the highest count in any single Chrome release. Over 100 are rated critical or high severity. The most severe, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write in the ANGLE graphics engine that allows a crafted page to escape the browser sandbox and execute code on the host. Google paid $97,000 for that report.
The Chrome numbers are not directly attributable to AI tooling. Google has not made that claim. What Google has said is that it overhauled its bug bounty program in April specifically because of a flood of AI-generated vulnerability submissions — changing submission requirements to favor concise reproducers over the long-form writeups that AI tends to produce. The record patch count and the policy change arrived in the same quarter.
The pattern across both stories is the same: AI is accelerating the rate at which vulnerabilities are surfaced faster than the patch pipeline can absorb them. For FFmpeg, the immediate action is to update to the patched release and audit embedded copies in applications and containers, which frequently lag the upstream version. For Chrome, the update is already in the stable channel.
For anyone running infrastructure that touches video, the more uncomfortable question is how many FFmpeg forks and vendored copies exist across their environment that no one has inventoried yet.