AI Agent Finds 21 Zero-Days in FFmpeg for $1,000 — The Economics of Vulnerability Discovery Just Changed

TL;DR: Security startup depthfirst deployed an autonomous AI agent against FFmpeg's ~1.5 million lines of C code. The result: 21 confirmed zero-day vulnerabilities, each with a reproducible proof-of-concept, for approximately $1,000 in cloud compute costs. One critical finding — a stack overflow in the AV1 RTP depacketizer — is a network-reachable RCE exploitable with a single 183-byte RTP packet over RTSP. Nine CVEs have been assigned (CVE-2026-39210 through CVE-2026-39218). The discovery represents a 200x to 500x cost reduction compared to a traditional human-led security audit, and it raises an uncomfortable question: when finding bugs is this cheap, can the patch pipeline keep up?

Introduction

On June 6, 2026, security startup depthfirst published the results of an experiment that should make every CTO, CISO, and open-source maintainer pause. The company pointed its autonomous AI security agent at FFmpeg — the ubiquitous open-source multimedia library embedded in YouTube, Netflix, Zoom, Discord, VLC, and billions of devices worldwide — and let it run.

The agent scanned roughly 1.5 million lines of C, reasoning about code structure and data flow rather than simply fuzzing for crashes. It returned 21 confirmed zero-day vulnerabilities. The total cloud compute cost: approximately $1,000.