TL;DRDepthfirst’s AI agent found 21 FFmpeg zero-days for $1,000. Chrome 149 patched a record 429 bugs. AI is flooding defenders with more bugs than they can handle.
A security startup’s autonomous AI agent found 21 previously unknown vulnerabilities in FFmpeg, the open-source media library embedded in almost everything that touches video. The startup, depthfirst, says the run cost roughly $1,000 in compute. Some of the bugs had been hiding in the codebase for more than 20 years.
Days later, Google shipped Chrome 149 with patches for 429 security bugs, the most ever in a single browser release. Over 100 are critical or high severity. The two events arrived independently, but they point in the same direction: AI is finding vulnerabilities faster than humans can fix them.
Depthfirst’s agent scanned FFmpeg’s roughly 1.5 million lines of C and produced a reproducible proof-of-concept for each of the 21 zero-days. Most are heap or stack overflows in parsers and demuxers, spanning components from the TS demuxer to the VP9 decoder. One stack overflow in the service-description-table code dates to 2003.
Nine already carry CVE identifiers (CVE-2026-39210 through CVE-2026-39218). The rest have been fixed upstream but not yet numbered. Depthfirst has published proof-of-concept code.
