AI Agents That Find Zero-Days: The FFmpeg Case Study
On June 6, 2026, security startup Depthfirst announced that its autonomous AI security agent had discovered 21 previously unknown zero-day vulnerabilities in FFmpeg — the world's most widely deployed media processing library. The agent scanned roughly 1.5 million lines of C code at a total inference cost of approximately $1,000, producing confirmed vulnerabilities with reproducible proof-of-concept inputs for each finding.
Several of the discovered bugs had been latent for 15 to 23 years. The oldest — a stack buffer overflow in the Service Description Table (SDT) parser — dates to 2003 and survived two decades of continuous fuzzing, expert manual audits, and automated scanning by the security community. It took a $1,000 agent run to surface it.
This article provides a full technical breakdown of the Depthfirst findings, the exploit mechanics of the most severe vulnerability, the broader context of AI-accelerated vulnerability discovery, and practical mitigation guidance.
What Depthfirst Built
Depthfirst's system is an autonomous AI security agent — not a traditional fuzzer or static analyzer, but an agentic scaffold built on publicly available Claude models that can reason about source code, formulate hypotheses about potential vulnerabilities, generate test inputs, execute them, and verify results without human intervention.
The architecture differs from prior work in several critical ways:
- No human in the discovery loop. Previous AI-assisted vulnerability research (Google's Big Sleep, Anthropic's Mythos preview) involved a human researcher guiding the model toward promising targets. Depthfirst's agent operates autonomously from source-code ingestion through PoC generation.
- Built on public models. The team explicitly noted they do not have access to Anthropic's proprietary Mythos model. Their agent uses commercially available Claude APIs — placing this capability within reach of any organization or threat actor able to pay standard API rates.
- End-to-end verification. Each finding includes a reproducible PoC input that triggers the vulnerability in a stock FFmpeg binary, eliminating false positives.
- Cost efficiency. The total compute cost of approximately 10,000.
The economic implications are stark: vulnerability discovery has crossed from a labor-intensive, expert-driven craft to a commodity capability available at API-call pricing.
The 21 Findings
The agent's findings span parsers and demuxers across FFmpeg's codebase. Of the 21 confirmed vulnerabilities:
- 9 have been assigned CVE identifiers in the CVE-2026-39210 through CVE-2026-39218 range.
- 12 additional findings have been confirmed, fixed upstream, and are awaiting CVE assignment (tracked under Depthfirst's internal DFVULN identifiers).
The vulnerabilities are predominantly heap and stack buffer overflows — the class of memory-safety bugs that account for the majority of severe CVEs in C/C++ codebases.
CVE-Assigned Vulnerabilities
| CVE | Component | Vulnerability Type | Year Introduced |
|---|---|---|---|
| CVE-2026-39210 | TS demuxer | Heap Buffer Overflow | 2010 |
| CVE-2026-39211 | swscale | Integer Overflow | 2010 |
| CVE-2026-39212 | ffmpeg_opt.c | Stack Overflow (recursive preset parsing) | 2025 |
| CVE-2026-39213 | yuv4mpegenc rawvideo | Heap Buffer Overflow | 2023 |
| CVE-2026-39214 | SDT handling | Stack Buffer Overflow | 2003 |
| CVE-2026-39215 | update_mb_info() | Heap Buffer Overflow (12 bytes past allocation) | 2012 |
| CVE-2026-39216 | img2enc.c | Heap Buffer Overflow | 2012 |
| CVE-2026-39217 | VP9 decoder | Heap Buffer Overflow (tile thread buffer) | 2025 |
| CVE-2026-39218 | DASH demuxer | Heap Buffer Overflow (negative duration index) | 2017 |
The 23-Year-Old Bug: CVE-2026-39214
The most striking finding is CVE-2026-39214, a stack buffer overflow in the Service Description Table (SDT) implementation that was introduced in 2003 — the same year FFmpeg's precursor project was created. The bug writes service entries to a fixed-size stack buffer without tracking remaining capacity, allowing a crafted transport stream to overflow the buffer.
That this vulnerability sat undetected for 23 years despite:
- Continuous fuzzing by the FFmpeg project's own test infrastructure
- Multiple professional security audits
- Google's Big Sleep AI agent examining the same codebase in 2025
- Hundreds of external security researchers examining the code
...is a testament to how deeply a single missed bounds check can hide in a mature, heavily-audited codebase.
The Critical Finding: DFVULN-127 — 183-Byte RCE
The most severe vulnerability discovered is tracked internally as DFVULN-127, a heap buffer overflow in FFmpeg's AV1 RTP depacketizer (libavformat/rtpdec_av1.c in the av1_handle_packet() function).
Attack Vector
The vulnerability is reachable via the most ordinary FFmpeg invocation imaginable:
ffmpeg -i rtsp://attacker/stream
No authentication. No unusual command-line flags. No user interaction beyond opening the stream. The bug triggers during the normal RTSP PLAY phase — the standard sequence that every RTSP client performs.
Exploit Mechanics
The AV1 RTP depacketizer handles the Temporal Delimiter OBU (Open Bitstream Unit) by advancing the output cursor without writing data. When the following OBU arrives, the obu_size field determines the amount of data copied. A crafted sequence where:
- A Temporal Delimiter OBU advances the output position without allocating matching space
- A subsequent OBU with a controlled
obu_sizefield triggers a write past the allocated buffer
...overwrites an AVBuffer.free function pointer stored in heap memory adjacent to the packet buffer.
When FFmpeg's internal buffer management releases the corrupted buffer, it calls the overwritten free pointer. With the instruction pointer redirected to an attacker-controlled value (Depthfirst's PoC achieves 0xdeadbeef), arbitrary code execution follows.
The entire exploit fits in a single 183-byte RTP packet.
Affected Deployments
Any service that points FFmpeg at an attacker-influenced RTSP URL is exposed:
- Media ingest pipelines that fetch user-supplied stream URLs for transcoding
- Surveillance and CCTV systems that aggregate RTSP feeds from cameras
- Transcoding services that process remote AV1-over-RTP sources
- Content delivery platforms that accept stream URLs for preview generation
This is not a theoretical concern. The PoC is publicly available on GitHub, and with public exploit code, active scanning and exploitation attempts are expected to follow rapidly.
The Week in Vulnerabilities: Chrome 149
The same week Depthfirst published its FFmpeg findings, Google shipped Chrome 149 with patches for 429 security vulnerabilities — a record single-release total, with 22 classified as critical and 87 as high severity.
The most severe Chrome flaw, CVE-2026-10881, is an out-of-bounds read/write in the ANGLE graphics engine carrying a CVSS 9.6 rating and potential sandbox escape capability. The researcher who reported it received a $97,000 bug bounty — the upper limit of Google's Chrome VRP.
The Chrome 149 patch set alone exceeds the total number of Chrome security fixes for most of 2025. The dominant vulnerability class is use-after-free (UAF), with 66 of the 429 flaws being UAF bugs. ANGLE alone accounts for 35 of the vulnerabilities, of which 4 are rated Critical.
The juxtaposition of these two events — Depthfirst's $1,000 FFmpeg audit yielding 21 zero-days, and Chrome shipping a record 429 patches in a single release — illustrates the central tension organizations now face: AI systems are producing vulnerability findings faster than software maintainers, enterprise patch teams, and vulnerability management workflows can absorb them.
The AI Vulnerability Discovery Landscape
Depthfirst's result did not emerge in isolation. It is the latest in an accelerating series of milestones:
| Date | Research | Scale |
|---|---|---|
| Aug 2025 | Google Big Sleep (DeepMind + Project Zero) | 20 vulnerabilities in FFmpeg, ImageMagick |
| 2025 | AISLE | CVEs in OpenSSL at rate surpassing all human discovery |
| Apr 2026 | Anthropic Mythos Preview | Thousands of zero-days across major OS/browsers |
| May 2026 | TrendAI ÆSIR | 21 CVEs in NVIDIA, Tencent, MLflow components |
| Jun 2026 | Depthfirst | 21 zero-days in FFmpeg for $1,000 |
Each of these systems uses a fundamentally different approach from traditional vulnerability research tools:
- Not fuzzing. Fuzzing finds crashes, not necessarily exploitable vulnerabilities. The AI agent reasons about code semantics, identifies the root cause, and crafts inputs that prove exploitability.
- Not SAST/DAST. Static analysis produces high false-positive rates. Dynamic analysis requires runtime instrumentation. The AI agent combines code reasoning with execution verification.
- Not human-led. The agent drives the discovery process end-to-end, from source ingestion through PoC generation.
AI-Generated Exploits in the Wild
The offensive implications are already materializing. In May 2026, Google's Threat Intelligence Group (GTIG) documented the first confirmed instance of a threat actor developing an AI-generated zero-day exploit and staging it for deployment — a Python script targeting a web-based system administration tool, exploiting a two-factor authentication bypass. GTIG disrupted the campaign before mass exploitation occurred.
Analysts identified the script as AI-generated based on stylistic hallmarks: educational docstrings, a hallucinated CVSS score embedded in the code, and code structure patterns characteristic of LLM output.
Separately, PRC-nexus actors such as UNC2814 have been observed using AI for vulnerability research on embedded devices, while North Korea's APT45 has been seen submitting thousands of repetitive prompts to AI systems for CVE analysis and PoC validation — systematically accelerating the weaponization of known vulnerabilities.
Economic Implications
The economics of vulnerability research have inverted:
- Finding vulnerabilities is now a commodity capability available at API pricing. A $1,000 agent run can match or exceed the output of a team of senior security researchers working for weeks.
- Triaging, patching, and deploying fixes remains labor-intensive and slow. The median time to patch for critical CVEs across the industry is measured in weeks to months.
- AI-accelerated discovery is widening the window between identification and remediation.
The Cloud Security Alliance's research note on the Depthfirst disclosure states the situation bluntly: "Organizations relying on traditional patch cycle timelines — weekly or monthly — now face a structural mismatch with AI-accelerated discovery rates that has no near-term resolution."
This structural mismatch creates an asymmetric dynamic. Defenders must maintain the current patch-and-pray posture, while attackers — including state-sponsored actors, ransomware groups, and independent researchers — now have access to commodity-grade zero-day discovery tools. The bottleneck has shifted from discovering vulnerabilities to operationalizing them, and attackers have always been better at that part of the cycle.
Mitigation Checklist
For organizations that bundle FFmpeg — and that includes most of the internet:
Immediate (Next 24 Hours)
- Update FFmpeg to the latest patched version. Verify the build includes the upstream fix commits for CVE-2026-39210 through CVE-2026-39218 and the 12 unnumbered DFVULN fixes.
- Check embedded FFmpeg copies in containers, Docker images, IoT firmware, and mobile app bundles. Static linking means the host system's FFmpeg update does not cover them.
- Audit any service that accepts user-supplied RTSP/RTP URLs and processes them with FFmpeg — these are the highest-risk deployments for DFVULN-127.
Short-Term (Next Week)
- Inventory all FFmpeg deployments across the organization, including cloud transcoding services, media pipelines, surveillance systems, and developer workstations.
- For any service that processes untrusted RTSP streams, consider running FFmpeg in a sandboxed or containerized environment with minimal privileges.
- Review asset management systems to ensure FFmpeg versions are tracked as a deployable component, not just a system dependency.
Strategic (Ongoing)
- Assume that every widely deployed C/C++ library in your stack contains undiscovered memory-safety vulnerabilities. Plan accordingly.
- Evaluate whether your patch-cycle SLA can keep pace with AI-accelerated disclosure rates. If your average time-to-patch exceeds one week, you are structurally exposed.
- Monitor for AI-accelerated vulnerability research targeting the libraries in your supply chain. The capability is available to anyone with an API key.
The Wider Picture
The Depthfirst FFmpeg disclosure marks a turning point that the security industry has been anticipating since Google's Big Sleep results in 2025. The transition from research demonstration to commodity capability has happened faster than most expected.
When an autonomous AI agent built on publicly available models can scan 1.5 million lines of C code for $1,000 and find 21 zero-days — including a wormable RCE in a library that runs on billions of devices — the question is no longer whether AI will transform vulnerability discovery. It already has.
The question now is whether defenders can adapt their processes fast enough to keep pace.
Related Articles
- Claude Fable 5 / Mythos 5: The "Too Dangerous" Model Goes Public — "Claude Fable 5 / Mythos 5"
- Inside the Miasma Supply Chain Worm — "Inside the Miasma Supply Chain Worm"