AI Agent Uncovers 21 Zero-Day Vulnerabilities in FFmpeg; Chrome Patches Record 429 Bugs
An AI agent has discovered 21 zero-day vulnerabilities in the widely-used FFmpeg media processing library, while Google's Chrome browser released an update addressing a record 429 security flaws.
A security startup named depthfirst has announced the discovery of 21 previously unknown vulnerabilities within FFmpeg, a critical media processing library that underpins countless applications handling video and audio.
These zero-day flaws, identified by an autonomous AI security agent, could pose significant risks to systems relying on FFmpeg for media decoding and encoding. The AI scanned approximately 1.5 million lines of C code, producing confirmed zero-days with reproducible proof-of-concept inputs. The cost for this extensive scan was reportedly around $1,000.
Intriguingly, some of these vulnerabilities had been dormant for as long as 15 to 20 years. One notable stack overflow in the service-description-table code dates back to 2003, remaining unaddressed for over two decades. The majority of the discovered bugs are heap or stack overflows found within parsers and demuxers, affecting various FFmpeg components such as the TS demuxer and VP9 decoder.
Several of these FFmpeg vulnerabilities have already been assigned CVE identifiers, with nine listed as CVE-2026-39210 through CVE-2026-39218. The remaining flaws have been fixed by the FFmpeg project but are awaiting official numbering. depthfirst has also released proof-of-concept exploits for these findings.
In parallel, Google released Chrome version 149, which includes patches for an unprecedented 429 security vulnerabilities. This number shatters previous records for a single browser update. Over 100 of these bugs are classified as critical or high severity, with many related to use-after-free conditions and insufficient input validation.
The most severe flaw in the Chrome update, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write vulnerability in the ANGLE graphics engine. This bug could allow a malicious webpage to escape Chrome's sandbox and execute code directly on the host system. Google reportedly paid $97,000 for the discovery of this particular vulnerability.
While the FFmpeg bugs were directly attributed to AI discovery, Google has not explicitly linked the record number of Chrome vulnerabilities to AI. However, the company did overhaul its bug bounty program in April, citing a surge in AI-generated submissions and now prioritizing concise reproducer steps over lengthy write-ups. This shift reflects the broader trend of AI accelerating vulnerability discovery across the cybersecurity landscape.
Users are strongly advised to update FFmpeg to the latest patched upstream build or their distribution's security update immediately, paying particular attention to components handling untrusted RTSP or AV1-over-RTP streams. For Chrome users, updating to version 149.0.7827.53 (Linux) or 149.0.7827.53/54 (Windows/macOS) is crucial, or ensuring auto-update functionality is enabled.