AI Agent Finds 21 Zero-Days in FFmpeg; Chrome Patches 429 Bugs
An AI agent has identified 21 zero-day vulnerabilities within FFmpeg, a widely used video processing component. Separately, the Chrome browser patched a record 429 bugs, highlighting ongoing security challenges in critical software used in streaming and web technologies.
Key Takeaways
- An AI agent identified 21 new zero-day vulnerabilities in FFmpeg, a widely used media framework.
- Google's Chrome 149 release patched 429 security bugs, including 22 critical and 90 high-severity issues.
- One FFmpeg zero-day in the AV1 RTP depacketizer allows remote code execution via a single 183-byte RTSP packet without authentication.
- Some FFmpeg vulnerabilities found by the AI agent had existed undetected for over two decades, with one dating back to 2003.
- The AI agent's FFmpeg vulnerability discovery cost roughly $1,000, significantly less than previous human-driven efforts.
Why It Matters
The discovery of numerous long-standing zero-day vulnerabilities in critical streaming infrastructure like FFmpeg poses an immediate risk to any service processing remote media, as attackers can exploit them for remote code execution. This highlights a broader trend: AI is accelerating vulnerability discovery, placing immense pressure on development teams to maintain secure codebases and accelerating the patch cycle. Going forward, watch for increased adoption of AI-driven security auditing in media software pipelines and changes in bug bounty program structures as human security teams struggle to keep pace with machine-generated findings.
Additional Context
The recent findings by depthfirst's AI agent, which uncovered 21 zero-days in FFmpeg for approximately $1,000, build on previous AI-driven vulnerability research. As reported by The Next Web (June 2026), Google's Big Sleep agent previously identified FFmpeg bugs, and Anthropic's Mythos model successfully located an H.264 flaw and others that had gone unnoticed for years. These efforts demonstrate that advanced AI models are increasingly capable of analyzing dense C codebases more efficiently, with depthfirst claiming to achieve comparable results at a tenth of Anthropic's reported cost. While Chrome's record 429 bug patches in version 149 were not directly attributed to AI, Google overhauled its bug bounty program in April (The Next Web, June 2026), requesting concise, reproducible reports instead of the more verbose AI-generated submissions. This suggests an increase in AI-assisted vulnerability reporting impacting even major browser vendors. One notable Chrome vulnerability, CVE-2026-10881, scored 9.6 on the CVSS scale and allowed a crafted page to escape Chrome's sandbox, with Google paying $97,000 for its report. The Next Web also noted that an autonomous tool recently found an authenticated remote code execution flaw in Redis that had existed for over two years, reinforcing the trend of AI exposing long-standing vulnerabilities.
Read full article at thehackernews.com