en.Wedoany.com Reported - A security startup named depthfirst used an autonomous AI agent to scan approximately 1.5 million lines of C code in the open-source media library FFmpeg, uncovering 21 previously unknown zero-day vulnerabilities, each with a reproducible proof-of-concept (PoC) input. The company stated that the operation cost around $1,000. Some of these vulnerabilities have been dormant for 15 to 20 years; a stack overflow issue in the service description table code dates back to 2003, existing for 23 years.

These vulnerabilities are primarily concentrated in parsers and demuxers, involving components such as the TS demuxer and VP9 decoder, with most being heap or stack overflows. depthfirst's report lists 9 CVE identifiers (CVE-2026-39210 to CVE-2026-39218) and notes that the remaining vulnerabilities have been fixed but not yet assigned numbers. The company also released a PoC.

In the same week, Google released Chrome version 149, fixing 429 security vulnerabilities, setting a record for the number of fixes in a single version. Over 100 of these are classified as critical or high severity, with issues primarily being use-after-free and insufficient input validation. The most severe vulnerability is CVE-2026-10881 (CVSS 9.6), an out-of-bounds read and write vulnerability in the ANGLE graphics engine, for which Google paid $97,000. Most of the vulnerabilities fixed this time were discovered internally by Google: only 10 of the approximately 90 high-severity vulnerabilities came from external researchers, and 19 of the 22 critical-severity vulnerabilities came from its internal team. However, Google did not directly associate the 429 vulnerabilities with AI.

Google previously reformed its bug bounty program in April to address a large number of AI-generated reports, now requiring submitters to provide concise reproduction steps. Google's Big Sleep agent reported a series of FFmpeg vulnerabilities last year, now visible on the project's security page marked as BIGSLEEP; Anthropic's Mythos model uncovered a 16-year-old H.264 vulnerability and others in FFmpeg, costing approximately $10,000, with three of the vulnerabilities fixed in FFmpeg 8.1. Additionally, another autonomous tool discovered an authenticated remote code execution vulnerability in Redis that had existed for over two years since version 7.2.0. Research also showed that a study in February enabled an agent to reproduce over half of the valid PoCs from 100 real Linux kernel N-day vulnerabilities, outperforming fuzz testing.

For FFmpeg users, it is recommended to pull fixed upstream builds or security updates from distributions as soon as possible, prioritizing any components that handle untrusted RTSP or AV1-over-RTP. FFmpeg is widely bundled in media pipelines, Python wheels, container images, and devices; embedded copies also require patching. For Chrome users, upgrade to version 149.0.7827.53 on Linux, or version 149.0.7827.53/54 on Windows and macOS, or confirm that automatic updates have run.

Discovering vulnerabilities has become cheap, but the process of triaging reports, releasing fixes, and pushing users to install these fixes is still primarily handled by volunteers and a small number of human triagers. This part of the work needs to keep pace with the speed of AI-driven discovery.

This article is compiled by Wedoany. All AI citations must indicate the source as "Wedoany". If there is any infringement or other issues, please notify us promptly, and we will modify or delete it accordingly. Email: news@wedoany.com