AI Agents That Find Zero-Days: The FFmpeg Case Study and What It Means for Software Security
On June 6, 2026, security startup depthfirst disclosed that its autonomous AI-powered security agent had discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the world's most widely deployed media processing library. The agent scanned approximately 1.5 million lines of C code at a total compute cost of roughly $1,000, producing 21 confirmed vulnerabilities with reproducible proof-of-concept inputs. Nine of those vulnerabilities received CVE identifiers — CVE-2026-39210 through CVE-2026-39218. The remaining twelve have been fixed upstream but await official numbering.
Several of the bugs had been latent for 15 to 20 years. The oldest — a stack buffer overflow in the service-description-table parser — was introduced in 2003 and sat undetected for 23 years. It survived countless human code reviews, multiple generations of fuzzing campaigns by OSS-Fuzz and Google's Project Zero, and at least one prior dedicated security audit by Anthropic's Mythos model that cost ten times as much.
This is the story of how that happened, why it matters, and what it means for every team shipping software in 2026.
The Discovery: 21 Zero-Days for $1,000
Depthfirst is not a household name. The early-stage security research startup was founded in late 2025 by a team with backgrounds in reinforcement learning and applied AI, and its core product is an autonomous AI agent designed to perform deep, exploratory code analysis — the kind of work that traditionally requires senior human security researchers working for weeks or months.
The FFmpeg engagement was chosen as an efficiency benchmark for a good reason. FFmpeg is a famously difficult target. It comprises roughly 1.5 million lines of heavily optimized C code dedicated to parsing hundreds of complex media formats. It has absorbed over two decades of relentless fuzzing. Google's Big Sleep team had disclosed 13 FFmpeg vulnerabilities only months earlier. Anthropic had used its Mythos model to scan FFmpeg and discovered additional issues. Finding new bugs in a codebase this hardened is a genuine test of capability.
Depthfirst's agent returned 21 confirmed zero-days. The findings spanned components from the Transport Stream (TS) demuxer to the VP9 decoder to the Real-Time Messaging Protocol (RTMP) client. The breakdown by vulnerability class tells a clear story about where the agent's attention went:
| Class | Count | Example Component |
|---|---|---|
| Heap buffer overflow | 8 | TS demuxer, Matroska parser |
| Stack buffer overflow | 7 | AV1 RTP depacketizer, VP9 decoder |
| Use-after-free | 3 | Audio format parser |
| Integer overflow | 2 | H.264 SEI parsing |
| Out-of-bounds read | 1 | Subtitles decoder |
Every finding included a reproducible proof-of-concept input that the agent generated autonomously. This is the key differentiator: the agent did not flag theoretical vulnerabilities and leave human researchers to triage. It confirmed each finding by execution, producing a concrete input that triggers the bug.
The Critical Finding: 183-Byte RCE
Among the 21 findings, one vulnerability stands apart. DFVULN-127 is a heap buffer overflow in FFmpeg's AV1 RTP depacketizer — the code that reassembles AV1 video frames received over Real-Time Protocol (RTP). The vulnerability lives in libavformat/rtpdec_av1.c, in the function av1_handle_packet(). It is reachable from the network with no special flags, no authentication, and no unusual command-line arguments.
The attack surface is disarmingly ordinary. A victim runs:
ffmpeg -i rtsp://attacker/stream
This is the most common command imaginable for processing a remote media stream. It appears in media ingest pipelines, surveillance camera monitoring systems, broadcast infrastructure, developer testing workflows, and countless containerized media-processing deployments. The agent discovered that a single crafted 183-byte RTP packet, delivered during the normal RTSP PLAY phase, is sufficient to achieve full instruction-pointer hijack.
The mechanics of the exploit are instructive. The depacketizer reconstructs an AV1 elementary stream from RTP packets using a write cursor, pktpos, into the output AVPacket. When it encounters a Temporal Delimiter (TD) OBU — a signaling element that the AV1 spec says to "ignore and remove" — the code skips the TD bytes but pushes pktpos forward by the attacker-declared obu_size. Critically, no memory is allocated for this advance, and the input pointer never advances past the TD bytes. The next OBU then grows the packet by a small amount and writes attacker-controlled bytes starting at pkt->data[pktpos] — far past the end of the allocation.
With obu_size set to 148, the writes land on AVBuffer.free, a function pointer that av_buffer_alloc places immediately after the data buffer. The exploit overwrites this pointer with 0xdeadbeef while leaving the refcount intact. When one more av_grow_packet triggers a buffer release, the corrupted free pointer is called, and control of the instruction pointer transfers to the attacker-controlled address.
The reach of this bug is what makes it serious. Any deployment pointing FFmpeg at an attacker-influenced RTSP URL is exposed: media pipelines that process user-supplied stream URLs, CCTV systems pulling RTSP feeds, transcoding services handling remote AV1-over-RTP sources. No authentication, no user interaction beyond opening the stream, and no unusual command-line flags. The vulnerability triggers during the normal RTSP PLAY phase that every client performs by design.
Depthfirst published a fully reproducible Docker-based PoC at github.com/DepthFirstDisclosures/ffmpeg-dfvuln127, enabling defenders to verify and test against their own deployments.
How AI Agents Find Vulnerabilities Differently
To understand why this matters, you have to understand how traditional vulnerability discovery works — and where it falls short.
Fuzzing (AFL, libFuzzer, Honggfuzz) feeds mutated inputs to a target program and monitors for crashes. It is effective at finding shallow bugs — reachable in the first few execution steps — but struggles with format-constrained inputs, multi-step state machines, and code paths that require specific preconditions. Coverage-guided fuzzing improves this by instrumenting branch coverage, but it remains a statistical approach: it finds what it finds based on what input mutations happen to hit. Fuzzing cannot reason about data flow or identify the root cause of a crash condition.
Static analysis (Semgrep, CodeQL, Coverity) models code structure and has built-in rules for common vulnerability patterns — uncontrolled format strings, buffer copies without length checks, taint propagation from untrusted sources. These tools can cover the entire codebase in minutes, but they produce high false-positive rates (often 70-90 percent) and struggle with context-dependent vulnerabilities that require understanding the broader data flow or the specific conditions under which a function is called. A static analysis tool can flag every memcpy without a bounds check; it cannot tell you whether the attacker controls the input length in the specific call path that matters.
Manual review by expert security researchers remains the gold standard for depth, but it is expensive (500,000 for a codebase the size of FFmpeg) and takes months. Even the best human reviewers have limited stamina for scanning 1.5 million lines of C.
The depthfirst agent operates in a fundamentally different regime. It combines three capabilities that no single traditional tool possesses:
Structural reasoning. The agent begins by building a model of the codebase: understanding its architecture, identifying exposed parsers and protocol handlers, and mapping where attacker-controlled input can enter the system. This is threat modeling, automated. It traces data flow through the relevant components rather than treating the repository as a flat collection of files.
Hypothesis-driven testing. The agent forms hypotheses about where vulnerabilities might exist — a missing length check before a buffer write, an integer overflow that wraps a size calculation, a use-after-free where a reference is dropped but the pointer persists. It traces execution paths to verify whether the attacker actually controls the right input, whether the vulnerable path is reachable, and whether the suspected flaw can be triggered.
Autonomous PoC generation. This is the critical step that separates depthfirst's approach from every previous AI-assisted security tool. The agent does not produce a theoretical report. It pinpoints the exact security issue and generates a concrete, reproducible input that confirms the vulnerability by execution. This eliminates false positives as a category problem: if the agent can produce a crashing input, the vulnerability is real.
The agent is built on commercially available Claude models, not on a custom frontier system. Depthfirst has published research on post-training specialized security models via reinforcement learning, suggesting that the $1,000 cost figure represents a trajectory, not a floor. Their earlier dfs-mini1 agent, trained on smart-contract vulnerability detection, showed that reinforcement learning with a continuous reward signal based on detection coverage produces agents that learn to compose their own detection strategies from low-level primitives rather than anchoring on pre-built tool outputs.
The cost comparison is stark. A comparable human-led engagement would cost 500,000 and take three to six months. Anthropic's own Mythos model — a general-purpose frontier system — cost approximately $10,000 for similar FFmpeg analysis. Depthfirst's purpose-built agent achieved comparable or better results at one-tenth the cost. The economics of vulnerability discovery have shifted by two to three orders of magnitude in a single engagement.
The Open-Source Maintenance Crisis
The depthfirst disclosure landed in a security ecosystem that was already buckling under the weight of AI-accelerated vulnerability discovery.
Project Glasswing, Anthropic's coordinated AI vulnerability research initiative launched in April 2026, had used Claude Mythos Preview to scan over 1,000 open-source projects. By Anthropic's own accounting, Mythos Preview identified an estimated 6,202 high- or critical-severity vulnerabilities in open-source code out of 23,019 total findings. Of the 1,752 that had been independently reviewed by security research firms, 90.6 percent (1,587) were confirmed as valid true positives, and 62.4 percent (1,094) were confirmed as high- or critical-severity.
As of May 22, 2026, Anthropic had disclosed 1,596 vulnerabilities to open-source maintainers across 281 projects. Only 97 had been patched — roughly six percent. Project Glasswing partners including Cloudflare and Mozilla reported thousands of additional findings. Mozilla had found and fixed 271 vulnerabilities in Firefox 150 using Mythos Preview — more than ten times the count found with the prior-generation Claude Opus 4.6.
Multiple open-source maintainers told Anthropic they were severely capacity constrained and asked the company to slow its disclosure rate so they could design patches. A well-resourced initiative with fifty partners and $100 million in compute credits was overwhelming the ecosystem's patching bandwidth. That a six percent remediation rate is considered a reasonable interim result tells you everything about the structural mismatch.
Chrome 149, released the same week as the depthfirst disclosure, patched a record 429 security vulnerabilities — 22 rated critical, 87 rated high, including CVE-2026-10881, a CVSS 9.6 sandbox escape in the ANGLE graphics layer that earned a $97,000 bug bounty. Google's previous record for a single Chrome release was roughly 180 flaws. The jump to 429 suggests a structural shift in how vulnerabilities are being discovered, not an anomaly in one release cycle.
These three data points—depthfirst's $1,000 FFmpeg run, Glasswing's thousands of disclosed-but-unpatched vulnerabilities, and Chrome's unprecedented 429-bug release—describe a single phenomenon from different angles. AI-assisted vulnerability discovery has crossed a threshold. The bottleneck in software security has moved from finding bugs to fixing them.
What This Means for DevOps and Security Teams
The practical implications for teams shipping software today fall into four categories.
Dependency inventory is no longer optional. FFmpeg ships inside hundreds of packages and applications. It is embedded in container images, Python wheels (via imageio, moviepy, and others), Node.js bindings, browser components, and consumer appliances. The upstream patch does not propagate automatically to bundled copies. Teams that do not know where FFmpeg appears in their dependency tree — including transitive and embedded copies — cannot patch it. An SBOM (Software Bill of Materials) generated from your build artifacts, not just your manifest files, is the minimum starting point. Tools like syft, trivy, and dependency-track can surface embedded FFmpeg copies that npm audit or pip audit will miss.
The patch cadence has changed. The industry's mean time to remediate for critical vulnerabilities was 38 days per Synack's 2026 report. With attackers able to run AI agents against the same codebases at near-zero marginal cost, that window is unrealistic for vulnerabilities with public PoCs. The DFVULN-127 PoC was published on June 2. Organizations that treated the FFmpeg CVEs as next-sprint work were exposed for weeks. The patch pipeline for critical, network-reachable vulnerabilities with public exploit code needs to operate on a days-not-weeks timeline.
Media processing pipelines require isolation. The DFVULN-127 vulnerability is exploitable against any process running FFmpeg with a live RTSP stream from an untrusted source. This is not a hypothetical attack surface — it describes every media ingest pipeline, every transcoding service, and every surveillance system that accepts user-supplied stream URLs. The immediate mitigation is to sandbox these workloads: run FFmpeg in isolated containers with no network egress (for local file processing) or with restricted egress rules (for network stream processing). Seccomp profiles, AppArmor, and gVisor can limit the blast radius of a successful exploit even before a patch is applied.
Assume every library is vulnerable. The economics now support adversaries running continuous, automated scans across an organization's entire software dependency tree. With autonomous agents costing $1,000 per target, the calculation has shifted from "will this target be audited?" to "when will it be audited, and by whom?" Defense-in-depth architecture — network segmentation, least-privilege execution, runtime detection — becomes the primary control, with patching as a supporting layer rather than the foundation.
The Structural Shift
The FFmpeg disclosure marks a structural discontinuity in vulnerability research economics, not a one-off benchmark. Prior to AI-driven autonomous discovery, producing a confirmed, exploitable zero-day in a mature, widely-audited codebase like FFmpeg required thousands of hours of expert researcher time at a cost of 500,000. Depthfirst's engagement produced comparable output at roughly 0.2 to 0.5 percent of that cost. Even compared to Anthropic's Mythos — itself a frontier model — depthfirst's purpose-built agent achieved a 10x cost reduction.
The implication is not that every codebase will immediately have 21 zero-days discovered for $1,000. The depthfirst result represents a single run on a specific target with a specific agent configuration. But the trajectory is clear: the cost of finding vulnerabilities is dropping faster than the ecosystem's capacity to absorb and patch them.
Project Glasswing demonstrated this at scale: 1,596 disclosures, 281 projects, 97 patches in the first month. The depthfirst FFmpeg run adds a second dimension — not just scale, but depth. A single focused agent run against a hardened target produced results that rival the output of a $200,000 human-led audit. The two approaches are complementary — breadth and depth — and both are now AI-driven.
The earlier fear in security circles was that nation-state actors would be the first to weaponize AI for vulnerability discovery. The real story of 2026 is different: the capability commoditized before any single actor could monopolize it. Depthfirst is a startup. Its agent runs on commercially available models. The PoC code is public on GitHub. The offensive capability is not locked inside an intelligence agency; it is available to any security researcher, any penetration testing firm, and any well-funded adversary willing to replicate the approach.
Defenders do not get to choose which side of this curve they are on. They only get to choose whether they are prepared.
Applied Recommendations
For teams integrating this into their operational reality:
Map your FFmpeg dependency surface immediately. Run syft or trivy against your container images, appliance firmware, and base OS images. Identify every package that bundles FFmpeg — including transitive dependencies like gstreamer, chromium (which embeds FFmpeg), and multimedia Python packages. This is a one-time audit that pays for itself in the first incident it prevents.
Establish a critical-vulnerability SLA measured in days. The traditional 30- to 45-day patch cycle for critical CVEs predates the era of public PoC-in-a-Dockerfile. For vulnerabilities with confirmed exploitability, the remediation timeline should be measured in hours to days. This requires pre-authorized emergency change processes, staged rollback plans, and tested deployment automation.
Audit RTSP and RTP handling in your infrastructure. The DFVULN-127 attack vector — ffmpeg -i rtsp://attacker/stream — is present in surveillance systems, live streaming pipelines, broadcast infrastructure, and developer testing environments. Every deployment that accepts RTSP input from untrusted sources should be cataloged, sandboxed, and patched. If you cannot identify every instance of RTSP consumption in your infrastructure, you have an asset-management problem that predates this vulnerability but is now an emergency.
Integrate autonomous security scanning into your CI pipeline. The same technology that discovered 21 zero-days for $1,000 can be deployed against your own code before it ships. Depthfirst, Semgrep's AI-powered analysis, and GitHub's code scanning ecosystem all offer agentic or AI-assisted vulnerability detection. The window between "a vulnerability is found" and "a PoC is public" is shrinking. Finding your own vulnerabilities before attackers do is no longer aspirational — it is the only viable strategy.
Adopt layered defense-in-depth beyond patching. The open-source patching pipeline is structurally incapable of keeping pace with AI-driven discovery, as Project Glasswing's six percent remediation rate demonstrates. Relying on patches as the primary defense assumes a timeline that no longer exists. Network segmentation, runtime application self-protection (RASP), and least-privilege execution must operate as primary controls, not afterthoughts.