AI-Powered Discovery Exposes 21 Zero-Day Vulnerabilities in FFmpeg, as Chrome Sets Record with 429 Bug Fixes

In a significant breakthrough, a security startup has successfully utilized an autonomous AI agent to uncover 21 previously unknown vulnerabilities in FFmpeg, a widely-used media library that plays a critical role in video processing. This discovery comes on the heels of Google releasing Chrome 149, which boasts an unprecedented 429 security bug fixes, shattering all previous records. While the FFmpeg vulnerabilities were identified by AI, the sheer volume of Chrome bug fixes can be attributed to Google's revamped bounty program, designed to cope with the influx of AI-generated reports.

The AI-powered discovery in FFmpeg is particularly noteworthy, as it demonstrates the rapidly evolving capacity of artificial intelligence to identify and expose vulnerabilities at an unprecedented scale. The autonomous security agent, developed by depthfirst, scanned approximately 1.5 million lines of C code in the FFmpeg project, producing 21 confirmed zero-days, each accompanied by a reproducible proof-of-concept input. The cost of this operation was estimated to be around $1,000, a relatively modest sum considering the profound implications of these findings.

A closer examination of the FFmpeg vulnerabilities reveals that several of these bugs had lain dormant for 15 to 20 years, with one stack overflow in the service-description-table code dating back to 2003. The majority of these vulnerabilities are heap or stack overflows in parsers and demuxers, affecting various components such as the TS demuxer and the VP9 decoder. depthfirst has published a detailed writeup of these findings, including nine CVE identifiers, ranging from CVE-2026-39210 to CVE-2026-39218, with the remaining vulnerabilities fixed but not yet assigned a CVE number.

In a separate yet related development, Chrome 149 has set a new record by addressing 429 vulnerabilities, with over 100 of these classified as critical or high-severity. The most severe of these bugs, CVE-2026-10881, carries a CVSS score of 9.6 and enables a crafted page to escape the sandbox, allowing for the execution of code on the host. Google paid a substantial sum of $97,000 for the discovery of this vulnerability.

The sheer volume of bug fixes in Chrome 149 can be attributed, in part, to the growing influence of AI-generated reports. While Google has not explicitly linked the 429 bug fixes to AI, the company's recent overhaul of its bounty program, prompted by an influx of AI-generated submissions, suggests a significant shift in the vulnerability discovery landscape. The new program emphasizes the need for concise reproducer reports, a departure from the lengthy writeups typically associated with AI-generated reports.

As the security landscape continues to evolve, the role of AI in vulnerability discovery is becoming increasingly prominent. A study published in February demonstrated the ability of an AI agent to reproduce working proof-of-concepts for over half of 100 real Linux kernel N-day bugs, outperforming traditional fuzzing techniques. Similarly, an autonomous tool recently discovered an authenticated RCE in Redis, a vulnerability that had remained undetected for over two years.

In light of these developments, it is essential for individuals and organizations to prioritize patching and updating their systems, particularly those that utilize FFmpeg or Chrome. For FFmpeg, this involves pulling the fixed upstream build or applying the relevant security update as soon as it becomes available. Users should also prioritize patching any components that ingest untrusted RTSP or AV1-over-RTP, as these are likely to be targeted by malicious actors.

Ultimately, the increasing pace of vulnerability discovery, driven in part by AI, demands a corresponding shift in the way we approach security. As the cost of finding bugs decreases, the focus must now turn to triaging reports, shipping fixes, and ensuring timely installation of updates. This will require a concerted effort from developers, security professionals, and organizations, as well as a recognition of the critical role that AI is likely to play in shaping the future of cybersecurity.