AI Agent Finds 21 Zero-Days in FFmpeg for $1,000

depthfirst published results on June 6 from an autonomous security agent run against FFmpeg. The output: 21 confirmed zero-days with reproducible proof-of-concept inputs. Approximate inference cost for the full run: $1,000.

What the Agent Found

FFmpeg is approximately 1.5 million lines of C. It processes video and audio across most software that touches media: players, streaming platforms, Python packages, container images, browsers, and consumer devices. Security research at this codebase scale has historically required significant sustained effort.

depthfirst’s agent worked across the full codebase and produced 21 confirmed vulnerabilities. Most are heap or stack overflows in parsers and demuxers. The affected components include the TS demuxer, the VP9 decoder, and the service-description-table code. Nine of the 21 already carry CVE identifiers — CVE-2026-39210 through CVE-2026-39218 — with the remaining bugs fixed but not yet numbered.

The oldest bug dates to 2003. It sat in the service-description-table code for 23 years. Numerous manual security audits of FFmpeg happened during that period. None of them found it. A $1,000 agent run did.

The Economics

The $1,000 figure represents inference cost for one run. It excludes the engineering work to build the agent, the knowledge required to target the right codebase, and the effort to verify and write up the results. Those costs are real. But as a per-run inference figure against a major target, it is a significant data point.

Prior to AI-augmented research, a serious vulnerability audit of a 1.5 million line C codebase required weeks or months of dedicated manual work. The Project Glasswing research earlier in 2026 documented autonomous AI agents finding 10,000 critical flaws in a month across a broader target set. The depthfirst FFmpeg case is narrower and more concrete: a specific codebase, a specific count of confirmed zero-days with PoCs, a specific cost figure. It is harder to treat as a theoretical projection.

The same cost curve that makes autonomous research accessible for security teams makes it accessible for adversaries. FFmpeg is in almost everything. Exploitable bugs in FFmpeg parsers and demuxers have a large installed base to target.

Patching and the Embedded Copy Problem

FFmpeg’s maintainers have patched all 21 confirmed vulnerabilities. Pull the fixed upstream build or your distribution’s security update.

The more complex problem is embedded copies. FFmpeg ships inside hundreds of packages and applications. The upstream patch does not propagate automatically to bundled copies in container images, Python wheels, appliances, or compiled-in dependencies. Those need to be identified and updated separately.

The demuxer and parser vulnerabilities are most exposure-relevant for internet-facing systems. Anything that ingests untrusted RTSP streams or AV1-over-RTP input should be prioritised. The TS demuxer and VP9 decoder bugs are in components that process common media formats from external sources.

The Defender Angle

The methodology depthfirst used isn’t secret. An autonomous agent scanning C code and identifying memory safety anomalies is, in principle, applicable to any codebase. The question for security teams is whether the same approach can run against internal code before it ships, rather than waiting for an external researcher to find the problems first.

The tooling for this is available and the cost is declining. Teams running significant C or C++ codebases have a practical option here that did not exist two years ago.

References

• depthfirst — 21 Zero-Days in FFmpeg
• The Hacker News — AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs
• The Next Web — An AI agent found 21 zero-days in FFmpeg for $1,000. Chrome just patched a record 429 bugs.
• SC Media — AI agents discover numerous vulnerabilities in FFmpeg and Chrome
• AI Weekly — depthfirst Finds 21 FFmpeg Zero-Days for $1,000