AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs

Swati KhandelwalJun 06, 2026Vulnerability / Endpoint Security

Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent.

The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release.

Only the FFmpeg bugs were found by AI. Chrome’s record landed after Google overhauled its bounty program to cope with a flood of AI-generated reports. The mechanisms differ, but the pressure is the same: AI is putting more vulnerabilities in front of the people who have to deal with them, and faster than before.

The FFmpeg findings come from depthfirst, whose autonomous security agent scanned the project’s roughly 1.5 million lines of C and produced 21 confirmed zero-days, each with a reproducible proof-of-concept input.

The company puts the cost of the run at around $1,000. Several of the bugs had been latent for 15 to 20 years; one stack overflow in the service-description-table code dates to 2003 and sat untouched for 23 years.

Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder. depthfirst says some already carry CVE identifiers; its writeup lists nine, CVE-2026-39210 through CVE-2026-39218, and notes the rest are fixed but not yet numbered. It also published a PoC.

In separate news, Chrome 149 fixes 429 vulnerabilities, a record for a single release. Over 100 are critical or high severity, mostly use-after-free and insufficient input validation.

The worst, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write in the ANGLE graphics engine that lets a crafted page escape the sandbox and run code on the host. Google paid $97,000 for it.

The highest-severity bugs were mostly internal finds: of roughly 90 high-severity bugs, only 10 came from outside researchers, and 19…

Source