An AI Agent Found 21 Zero-Days in FFmpeg for $1,000 — the Oldest Bug Had Been Hiding Since 2003

FFmpeg is the media library that processes video in virtually every context that matters: browsers, streaming platforms, video editors, conference software, mobile apps. It is also, as of this week, confirmed to contain at least 21 previously unknown security vulnerabilities, all of them discovered by an autonomous AI agent run by a security startup called depthfirst. The compute cost of finding them was approximately $1,000.

depthfirst published its findings on June 6, including a GitHub repository with proof-of-concept inputs for all 21 bugs. Nine have been assigned CVE identifiers so far, CVE-2026-39210 through CVE-2026-39218. The rest have been patched upstream but are not yet numbered. All of them are fixed in the current FFmpeg release.

What the Bugs Are and Where They Hide

Most of the 21 vulnerabilities are heap or stack overflows concentrated in FFmpeg's parsers and demuxers — the components responsible for reading and interpreting the structure of media files before decoding begins. Affected components include the TS demuxer (which handles MPEG transport streams used in broadcast TV and streaming) and the VP9 decoder (Google's video codec used widely on the web). depthfirst describes several as reachable via crafted media files, meaning an attacker could trigger them by getting a target to open a malicious video.

The age of the bugs is what makes the finding remarkable. Several had been latent for 15 to 20 years. The oldest, a stack overflow in the service-description-table parser, dates to 2003 and sat in the codebase untouched for 23 years. These are not obscure edge-case paths — they are in components that handle formats in active use across the industry.

The Economics of AI-Driven Vulnerability Research

The $1,000 figure matters because it represents the compute cost of a single autonomous research run, not the total cost of a security team engaging in months of manual code review. For comparison, a single skilled security researcher costs hundreds of thousands of dollars per year in salary, and manual audit engagements for a codebase the size of FFmpeg typically run six figures. depthfirst is not alone in this space: Google's Big Sleep agent has previously reported FFmpeg vulnerabilities, and Anthropic's Mythos model found a 16-year-old H.264 flaw and other bugs in FFmpeg for comparable costs.

The implication is not that AI replaces security researchers — the findings still need human triage, CVE assignment, coordinated disclosure, and patch validation. But the economics of the discovery phase are shifting dramatically. A $1,000 compute run that surfaces 21 confirmed zero-days with reproducible PoCs is an order of magnitude more cost-efficient than equivalent human effort.

The Same Week: Chrome Patches a Record 429 Bugs

The FFmpeg disclosure landed the same week Google shipped Chrome 149 with patches for 429 security vulnerabilities, the most ever in a single Chrome release. More than 100 are rated critical or high severity. The worst, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read/write in the ANGLE graphics engine that allows a crafted webpage to escape Chrome's sandbox and execute arbitrary code on the host system. Google paid $97,000 to the researcher who reported it.

The Chrome release is not directly connected to AI-discovered bugs — Google has not attributed the record volume to AI agents. The connection is more indirect: Google overhauled its bug bounty program in April specifically because AI-generated reports flooded the submission queue, requiring new guidelines that prioritize concise reproducers over the long writeups AI tools tend to produce.

What This Means for Defenders

The practical priority: update FFmpeg to the current release, and track CVE-2026-39210 through CVE-2026-39218 for internal asset inventory. If your organization uses FFmpeg in media processing pipelines — particularly for user-supplied content — the TS demuxer and VP9 decoder components warrant specific attention until all 21 CVEs are numbered and confirmed patched in your version.

The broader implication: AI agents are finding bugs in major open-source libraries faster than the ecosystem can number and publish them. The gap between when a vulnerability exists, when it is found, and when it is patched is being compressed on the discovery side. The patching infrastructure has not kept pace.