Back

AI Discovers 21 Zero-Days in FFmpeg; Chrome Fixes Record 429 Vulnerabilities

Severity: High (Score: 72.5)

Sources: github.com, depthfirst.com, Thehackernews, Thenextweb

Published: 2026-06-06 · Updated: 2026-06-06

Keywords: agent, ffmpeg, bugs, zero-days, chrome, record, found

Severity indicators: zero-day, bug

Summary

An AI agent from the startup Depthfirst identified 21 zero-day vulnerabilities in FFmpeg, a widely used media library, for a cost of $1,000. These vulnerabilities include critical heap and stack overflows, some dating back over 20 years. Concurrently, Google released Chrome 149, addressing a record 429 security bugs, with 22 classified as critical. The most severe, CVE-2026-10881, allows code execution outside Chrome's sandbox and scored 9.6 on the CVSS scale. Depthfirst's findings highlight the increasing role of AI in vulnerability discovery, outpacing human efforts. Most of the FFmpeg vulnerabilities have been fixed, with some already assigned CVE identifiers. However, the challenge remains in managing the volume of vulnerabilities reported, as AI tools continue to flood the market with findings. Key Points: • Depthfirst's AI agent found 21 zero-day vulnerabilities in FFmpeg. • Google's Chrome 149 patched a record 429 security bugs, including 22 critical vulnerabilities. • The most severe vulnerability, CVE-2026-10881, allows code execution outside Chrome's sandbox.

Detailed Analysis

**Impact** The discovery of 21 zero-day vulnerabilities in FFmpeg affects any organization using this widely embedded open-source media library, which is integral to video processing across multiple sectors globally. The vulnerabilities include long-standing flaws, some over 20 years old, potentially exposing systems to memory corruption and remote code execution. Concurrently, Google’s Chrome 149 update addresses 429 security bugs, including 22 critical vulnerabilities, impacting millions of browser users worldwide and raising the urgency for rapid patch deployment. The combined scale stresses software supply chains and end-user environments reliant on these components. **Technical Details** The FFmpeg zero-days are primarily heap and stack overflows in parsers and demuxers, including components like the TS demuxer and VP9 decoder, with CVEs ranging from CVE-2026-39210 to CVE-2026-39218. One notable flaw is a stack overflow dating back to 2003. Chrome’s critical vulnerabilities include an out-of-bounds read/write in the ANGLE graphics engine (CVE-2026-10881) enabling sandbox escape and code execution. The FFmpeg bugs were found by an autonomous AI agent operated by depthfirst, while Chrome’s bugs were mostly found internally, with no direct AI attribution. No specific IOCs or malware tools were reported. **Recommended Response** Apply the latest FFmpeg patches that address the 21 zero-day vulnerabilities immediately, prioritizing systems handling video processing. Deploy Chrome 149 updates without delay to mitigate the 429 patched vulnerabilities, especially the critical ones like CVE-2026-10881. Increase monitoring for anomalous memory corruption behaviors and sandbox escape attempts related to ANGLE. Organizations should enhance triage capacity to manage the growing volume of AI-discovered vulnerabilities and monitor vendor advisories for further updates.

Source articles (4)

  • AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs — Thehackernews · 2026-06-06
    Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all o…
  • An AI agent found 21 zero-days in FFmpeg for $1,000. Chrome just patched a record 429 bugs. — Thenextweb · 2026-06-06
    Depthfirst’s AI agent found 21 FFmpeg zero-days for $1,000. Chrome 149 patched a record 429 bugs. AI is flooding defenders with more bugs than they can handle. A security startup’s autonomous AI agent…
  • 21 Zero Days In Ffmpeg — depthfirst.com · 2026-06-06
  • Ffmpeg Dfvuln127 — github.com · 2026-06-06

Timeline

  • 2026-06-04 — CVE-2026-10881 published: CVE-2026-10881 is an out-of-bounds read and write vulnerability in Chrome's ANGLE graphics engine.
  • 2026-06-06 — Depthfirst reports 21 zero-days in FFmpeg: An AI agent discovered 21 vulnerabilities in FFmpeg, some dating back over 20 years, costing $1,000 to identify.
  • 2026-06-06 — Google releases Chrome 149: Chrome 149 includes patches for a record 429 vulnerabilities, with 22 classified as critical.

CVEs

  • CVE-2026-10881
  • CVE-2026-39210
  • CVE-2026-39218

Related entities

  • Zero-day Exploit (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-787 - Out-of-bounds Write (Cwe)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • Angle Graphics Engine (Platform)
  • Linux kernel (Platform)
  • Mozilla Firefox (Platform)
  • Redis (Platform)
  • Chrome (Tool)
  • Ffmpeg (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed