{"id":265564,"date":"2026-06-06T03:28:00","date_gmt":"2026-06-06T07:28:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/06\/06\/ai-agent-uncovers-21-zero-days-in-ffmpeg-chrome-patches-record-429-bugs\/"},"modified":"2026-06-06T04:20:10","modified_gmt":"2026-06-06T08:20:10","slug":"ai-agent-uncovers-21-zero-days-in-ffmpeg-chrome-patches-record-429-bugs","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/06\/06\/ai-agent-uncovers-21-zero-days-in-ffmpeg-chrome-patches-record-429-bugs\/","title":{"rendered":"AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/ai-agent-uncovers-21-zero-days-in.html\">AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/ai-agent-uncovers-21-zero-days-in.html\">https:\/\/thehackernews.com\/2026\/06\/ai-agent-uncovers-21-zero-days-in.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-06 03:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Swati Khandelwal<\/span>\ue802<span class=\"author\">Jun 06, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Endpoint Security<\/span><\/p>\n<p>Two things landed within days of each other this week. A security startup reported 21 previously unknown vulnerabilities in FFmpeg, the media library inside almost everything that touches video, all of them found by an autonomous AI agent.<\/p>\n<p>The same week, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single release.<\/p>\n<p>Only the FFmpeg bugs were found by AI. Chrome&#8217;s record landed after Google overhauled its bounty program to cope with a flood of AI-generated reports. The mechanisms differ, but the pressure is the same: AI is putting more vulnerabilities in front of the people who have to deal with them, and faster than before.<\/p>\n<p>The FFmpeg findings come from depthfirst, whose autonomous security agent scanned the project&#8217;s roughly 1.5 million lines of C and produced 21 confirmed zero-days, each with a reproducible proof-of-concept input.<\/p>\n<p>The company puts the cost of the run at around $1,000. Several of the bugs had been latent for 15 to 20 years; one stack overflow in the service-description-table code dates to 2003 and sat untouched for 23 years.<\/p>\n<p>Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder. depthfirst says some already carry CVE identifiers; its writeup lists nine, CVE-2026-39210 through CVE-2026-39218, and notes the rest are fixed but not yet numbered. It also published a PoC.<\/p>\n<p>In separate news, Chrome 149 fixes 429 vulnerabilities, a record for a single release. Over 100 are critical or high severity, mostly use-after-free and insufficient input validation.<\/p>\n<p>The worst, CVE-2026-10881 (CVSS 9.6), is an out-of-bounds read and write in the ANGLE graphics engine that lets a crafted page escape the sandbox and run code on the host. Google paid $97,000 for it.<\/p>\n<p>The highest-severity bugs were mostly internal finds: of roughly 90 high-severity bugs, only 10 came from outside researchers, and 19&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/06\/ai-agent-uncovers-21-zero-days-in.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs https:\/\/thehackernews.com\/2026\/06\/ai-agent-uncovers-21-zero-days-in.html Publish Date:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":265565,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiyg1vRQART17ZjJXANnrQ8Vtn7h_tM5IihGJ4LnxbGTDFL1QSvR_lEDmVm7bsO84br04_oM-RM9ZgX-6b5yVQnEOTwKgk3KzImrhPBrI91GIYmQ-n09hq3vjF3tPVnNqVhHbV22BIxXg9zhGg4b2s4kATPjtnqGWldHRw29GexKQbEcX6HxG46vPfvo26l\/s1600\/chrome-update.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,27],"class_list":["post-265564","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265564"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=265564"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265564\/revisions"}],"predecessor-version":[{"id":265566,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/265564\/revisions\/265566"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/265565"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=265564"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=265564"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=265564"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}