Back

AI Discovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Vulnerabilities

Severity: High (Score: 70.5)

Sources: Feeds.4Sysops, Thehackernews, github.com, Thenextweb, depthfirst.com

Published: 2026-06-06 · Updated: 2026-06-06

Keywords: agent, ffmpeg, bugs, zero-days, chrome, record, found

Severity indicators: zero-day, bug

Summary

An AI agent from the startup Depthfirst identified 21 zero-day vulnerabilities in FFmpeg, a widely used media library, with some flaws dating back over 20 years. These vulnerabilities include critical heap and stack overflows affecting various video processing applications. Concurrently, Google released Chrome 149, addressing a record 429 security bugs, with 22 classified as critical. The most severe bug, CVE-2026-10881, allows code execution outside Chrome's sandbox and scored 9.6 on the CVSS scale. The rapid discovery of vulnerabilities by AI tools highlights a growing challenge for security teams to manage the influx of reports. Depthfirst's AI agent achieved this at a cost of approximately $1,000, significantly lower than traditional methods. The situation indicates a shift in the cybersecurity landscape, where AI is outpacing human efforts in vulnerability discovery. Key Points: • Depthfirst's AI agent found 21 zero-day vulnerabilities in FFmpeg, some over 20 years old. • Google's Chrome 149 patched a record 429 vulnerabilities, including 22 critical issues. • The rapid pace of AI-driven vulnerability discovery poses challenges for security teams.

Detailed Analysis

**Impact** The FFmpeg zero-day vulnerabilities affect a widely used open-source media library embedded in numerous video processing applications globally, with some flaws present for over 20 years. The Chrome 149 update addresses 429 security bugs, including over 100 critical or high-severity issues, impacting millions of users across all sectors relying on the browser. These vulnerabilities risk remote code execution, sandbox escapes, and potential compromise of host systems, affecting both enterprise and consumer environments worldwide. **Technical Details** The 21 FFmpeg zero-days include heap and stack overflows in parsers and demuxers such as the TS demuxer and VP9 decoder, with CVEs ranging from CVE-2026-39210 to CVE-2026-39218 assigned to nine of them. The most severe Chrome bug, CVE-2026-10881, is a 9.6 CVSS out-of-bounds read/write in the ANGLE graphics engine enabling sandbox escape and code execution. These vulnerabilities were discovered primarily through autonomous AI agents using fuzzing and deep code analysis techniques. No specific IOCs or malware have been reported. **Recommended Response** Apply the latest FFmpeg patches that address the 21 zero-days and update Chrome to version 149 immediately to mitigate the 429 patched vulnerabilities, prioritizing critical and high-severity fixes. Security teams should enhance triage processes to handle increased AI-generated vulnerability reports and monitor for exploitation attempts targeting the ANGLE engine and FFmpeg components. No additional detection signatures or IOCs have been published; maintain vigilance on anomalous media processing and browser sandbox escape indicators.

Source articles (5)

  • AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs — Thehackernews · 2026-06-06
    Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all o…
  • An AI agent found 21 zero-days in FFmpeg for $1,000. Chrome just patched a record 429 bugs. — Thenextweb · 2026-06-06
    Depthfirst’s AI agent found 21 FFmpeg zero-days for $1,000. Chrome 149 patched a record 429 bugs. AI is flooding defenders with more bugs than they can handle. A security startup’s autonomous AI agent…
  • AI agents uncover long-standing zero — Feeds.4Sysops · 2026-06-06
    An autonomous AI agent recently discovered 21 previously unknown vulnerabilities in the FFmpeg media library, some of which had remained hidden for over 20 years. These flaws include heap and stack ov…
  • 21 Zero Days In Ffmpeg — depthfirst.com · 2026-06-06
  • Ffmpeg Dfvuln127 — github.com · 2026-06-06

Timeline

  • 2026-06-04 — CVE-2026-10881 published: CVE-2026-10881, a critical out-of-bounds read/write vulnerability in Chrome, was disclosed.
  • 2026-06-06 — AI discovers 21 zero-days in FFmpeg: Depthfirst's AI agent uncovered 21 previously unknown vulnerabilities in FFmpeg, affecting video processing applications.
  • 2026-06-06 — Chrome 149 released with 429 patches: Google released Chrome 149, fixing a record 429 vulnerabilities, emphasizing the need for improved bug triaging.

CVEs

  • CVE-2026-10881
  • CVE-2026-39210
  • CVE-2026-39218

Related entities

  • Zero-day Exploit (Attack Type)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • Cwe-122 - Heap-based Buffer Overflow (Cwe)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • Cwe-787 - Out-of-bounds Write (Cwe)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • Angle Graphics Engine (Platform)
  • Linux kernel (Platform)
  • Mozilla Firefox (Platform)
  • Redis (Platform)
  • Chrome (Tool)
  • Ffmpeg (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed